Evilnum is a sophisticated APT group, active since 2018. However, its tools and techniques were discovered two years after it first started operating. Zscaler experts monitored the threat actor’s activities and observed that the gang is now stronger with an upgraded arsenal.
Diving into details
The group is setting its sight primarily on organizations in the financial services sector in Europe, including the U.K.
In March, the group started targeting an international organization involved with international migration.
The campaign uses macro-laden documents that have varying filenames, containing the term ‘compliance’. At least nine such documents have been identified.
The attachment uses VBA code stomping and template injection to evade detection by security solutions.
In each instance, Evilnum registered several domain names using certain keywords connected to the industry vertical.
The backdoor
The backdoor loaded on the infected systems are capable of performing the following tasks:
Decrypting backdoor configurations
Resolving API addresses from libraries retrieved from the configuration
Conducting mutex check
Creating data exfiltration string to send as a portion of the beacon request
Encoding and encrypting the string with Base64
Embedding this string inside the cookie header field
Once the above tasks are completed, the backdoor chooses a C&C domain and a route string and sends out a beacon request. The C&C may even respond with a fresh encrypted payload. Furthermore, the backdoor can take screenshots and send them to the C2 server via POST requests. This results in an encrypted format of data exfiltration.
The bottom line
Evilnum is an active threat and hence, it is recommended to use the IOCs provided in the Zscaler report. While we still don’t know the origins of this threat actor, its victimology points to a state-backed interest in cyberespionage campaigns.