The threat group monitored as Evilnum was observed using modified tactics and instruments in recent attacks, the Nocturnus research team from Cybereason reported last week.
Evilnum, initially reported in 2018, appears to have been involved for almost a decade, providing ‘mercenary’ hack-for-hire services, a new Kaspersky report revealed.
Based on hacking, Evilnum has recently switched from providing ZIP archives containing multiple LNK files (through spear-phishing) to including a single LNK in the archive masquerading as a PDF, reveals Cybereason. The shortcut, once executed, writes a JavaScript to disc which replaces the LNK with the actual PDF.
In addition, the hackers introduced a planned task to ensure consistency, shifting away from the Run Registry Key that was previously used. The scheduled task is to download the next stage payload, a changed version of “Java Web Start Launcher,” and run it.
However, this payload was planned for the next stage as a downloader, another downloader that actually fetches the final payload and runs it directly in memory, with a scheduled task called “Adobe Update Process.”
Dubbed PyVil RAT and written in Python, the malware distributed was designed to log keystrokes, execute cmd commands, take screenshots, download additional Python scripts to extend functionality, drop and upload executables, open an SSH shell and gather system details (running antivirus software, linked USB devices, Chrome version).
The malware communicates with its command and control server (C&C) through RC4-encrypted HTTP POST requests.
Security researchers at Cybereason have found that PyVil RAT obtained a custom version of the LaZagne Project from the C&C, which was previously employed by the company. The script was intended to dump passwords and collect information about cookies.
The researchers have found a shift in the infrastructure of the attackers: while the hackers used only IP addresses in C&C communications in previous attacks, they moved over the past few weeks to employing domains for the same operations, and tend to change domains at a rapid rate.
Over the past couple of years, Evilnum has remained constant in attacking European fintech companies, but strategies, techniques and procedures (TTPs) have developed to ensure the success of its attacks, and the recent changes are no surprise.
“We have noticed a major shift in the group’s infection protocol in recent weeks, shifting away from the JavaScript backdoor capability, instead using it as a first-stage dropper for new down the line resources. Evilnum used modified versions of legitimate executables during the infection period, in an effort to stay stealthy and remain undetected by protection tools. […] This advancement in strategies and methods has made it possible for the group to remain under the radar and we expect to see more in the future as the arsenal of the Evilnum community continues to expand, “concluded the Nocturnus researchers.
Leave a Reply