The threat group monitored as Evilnum was observed using modified tactics and instruments in recent attacks, the Nocturnus research team from Cybereason reported last week.
Evilnum, initially reported in 2018, appears to have been involved for almost a decade, providing ‘mercenary’ hack-for-hire services, a new Kaspersky report revealed.
In addition, the hackers introduced a planned task to ensure consistency, shifting away from the Run Registry Key that was previously used. The scheduled task is to download the next stage payload, a changed version of “Java Web Start Launcher,” and run it.
However, this payload was planned for the next stage as a downloader, another downloader that actually fetches the final payload and runs it directly in memory, with a scheduled task called “Adobe Update Process.”
Dubbed PyVil RAT and written in Python, the malware distributed was designed to log keystrokes, execute cmd commands, take screenshots, download additional Python scripts to extend functionality, drop and upload executables, open an SSH shell and gather system details (running antivirus software, linked USB devices, Chrome version).
The malware communicates with its command and control server (C&C) through RC4-encrypted HTTP POST requests.
Security researchers at Cybereason have found that PyVil RAT obtained a custom version of the LaZagne Project from the C&C, which was previously employed by the company. The script was intended to dump passwords and collect information about cookies.
The researchers have found a shift in the infrastructure of the attackers: while the hackers used only IP addresses in C&C communications in previous attacks, they moved over the past few weeks to employing domains for the same operations, and tend to change domains at a rapid rate.
Over the past couple of years, Evilnum has remained constant in attacking European fintech companies, but strategies, techniques and procedures (TTPs) have developed to ensure the success of its attacks, and the recent changes are no surprise.