Evilnum is a sophisticated APT group, active since 2018. However, its tools and techniques were discovered two years after it first started operating. Zscaler experts monitored the threat actor’s activities and observed that the gang is now stronger with an upgraded arsenal.

Diving into details

  • The group is setting its sight primarily on organizations in the financial services sector in Europe, including the U.K.
  • In March, the group started targeting an international organization involved with international migration
  • The campaign uses macro-laden documents that have varying filenames, containing the term ‘compliance’. At least nine such documents have been identified.
  • The attachment uses VBA code stomping and template injection to evade detection by security solutions.
  • In each instance, Evilnum registered several domain names using certain keywords connected to the industry vertical. 

The backdoor

The backdoor loaded on the infected systems are capable of performing the following tasks:
  • Decrypting backdoor configurations
  • Resolving API addresses from libraries retrieved from the configuration
  • Conducting mutex check
  • Creating data exfiltration string to send as a portion of the beacon request
  • Encoding and encrypting the string with Base64
  • Embedding this string inside the cookie header field

Once the above tasks are completed, the backdoor chooses a C&C domain and a route string and sends out a beacon request. The C&C may even respond with a fresh encrypted payload. Furthermore, the backdoor can take screenshots and send them to the C2 server via POST requests. This results in an encrypted format of data exfiltration.

The bottom line

Evilnum is an active threat and hence, it is recommended to use the IOCs provided in the Zscaler report. While we still don’t know the origins of this threat actor, its victimology points to a state-backed interest in cyberespionage campaigns.
Cyware Publisher