Active since 2018, the APT TA4563 (also known as Evilnum) is a group that has launched several low volume but targeted attack campaigns against victims in the UK and Europe. The group initially only targeted the financial sector but has now switched gears and is targeting immigration organizations.
Evilnum was also observed targeting organizations related to cryptocurrency and DeFi, placing backdoors in their systems which allow the threat actors to steal valuable information or wait for opportunities to compromise financial platforms. We’ll discuss Evilnum’s evolution, their tactics and techniques, and why it’s important to pay attention to lesser-known threat actors.
As previously stated, Evilnum is an APT that’s been active since 2018 and was named as such due to their flagship malware also being named Evilnum. Despite being active since 2018, little was known about the group until ESET analyzed their malware in 2020. They were previously seen attacking financial technology companies (fintech companies), using a toolset that consisted of custom, homemade malware combined with tools purchased from Golden Chickens and an MaaS provider.
ESET’s research revealed that Evilnum’s targets were financial companies that offered platforms and tools for online trading. Most of the targets were in Europe and the UK but attacks were also observed in Australia and Canada. Researchers believed that the geographical diversity of Evilnum’s attacks was due to the targeted companies having offices in several locations.
During this time, Evilnum’s primary goal was to spy on organizations and glean financial information from both the organization and their customers. Examples of the information the threat actor has been able to obtain includes:
The decoy documents included bills with proof of address and photos of credit cards or identity documents. The decoy documents resembled the same documents that financial institutions require from their customers when they join. Because the documents appeared to seem legitimate, researchers believed Evilnum collected the documents during years of operation.
First, the file copier was executed so that it moved files to another location in %LOCALAPPDATA%. Next, the loader was executed and decrypted the contents of the file System.Memmory.dll (the malicious payload for the C# component). This version of Evilnum’s malware was capable of taking screenshots if the mouse was moved and was able to send them to the C&C - running commands, running other binaries via cmd.exe, and persisting in a compromised system via creating registry keys.
Evilnum primarily used publicly available tools (and still does), but also developed custom scripts. They kept their tools in password-protected archives but decompressed them on a victim’s PC as needed. The group also used LaZagne to retrieve stored passwords and IronPython to take screenshots and record DirectSound audio.
As of 2022, Evilnum’s tactics and techniques have evolved. The group is now using MS Office Word documents, leveraging document template injection – delivering malicious payloads to their target’s machines. Surprisingly, Evilnum is not exploiting Follina (CVE-2022- 30190) – a June 2022 Windows/Office zero-day vulnerability which allows attackers to run malicious code on targeted systems. This might be because Follina is so well documented and publicized. The vulnerability also now has a patch, as well as workarounds.
While still targeting financial companies dealing with cryptocurrency and other currency, ThreatLabz observed the group changing their target from strictly financial organizations to intergovernmental organizations (IGO) in March 2022. One of the targeted organizations deals with international migration services. Evilnum boldly attacked an IGO, an entity that involves two or more nations to work on common interest issues.
Researchers stated that the recent targets were more than likely chosen by the threat actor to coincide with the Russia-Ukraine war. Their attacks have been low volume but targeted, with their deployed malware being used for reconnaissance and data theft (not specific to cryptocurrency theft).
ThreatLabz also observed several domains associated with Evilnum that weren’t detected by other security vendors – making Evilnum an APT that has successfully been flying under the radar for years. The malware also includes components to evade detection and modify infection paths.
Image 1: Current Attack Flow
Evilnum starts their attacks by sending a malicious Word document to their victim via spear phishing emails with rogue attachments. Once the victim opens the Word document, a message is displayed claiming that the document was created in a later version of Microsoft Word. This message explains how to enable editing in order to view the content.
Image 2: An Executable Attributed to Evilnum
Source: Avertium's Cyber Threat Intelligence Team
In the screen shot above, you can see the strings that the program references to get environmental data from a compromised host. Evilnum’s goal is to create a backdoor on infected systems, while machine screen grabs are taken and sent back to the threat actors via POST requests with the exfiltrated data now being in encrypted form.
Selecting one of the C2 domains, the backdoor also selects a path string from the configuration and sends the beacon network request. The backdoor will then query the server for available content and downloaded it if the beacon is successful.
You may be wondering why Evilnum would pivot to immigration. Multiple organizations that were set up after Russian troops invaded Ukraine, are assisting Ukrainian refugees. The lawyers that help to run the groups, don’t know much about cyber security but are still following strict regulations regarding client data by default. However, even though they’re performing security-centric tasks to keep data secure, they may not notice the crossover.
For instance, most interactions between lawyers and clients in the UK are done remotely. The reason for remote communication is primarily due to COVID-19 and because the UK’s visa system is online. Therefore, everything involving sensitive data starts in the form of an email. It sounds non-secure when you initially hear it, however lawyers and clients don’t email important documents in plain text. They use encrypted documents, secure file uploads, and delete data when required.
There are several things immigration organizations can do to keep sensitive information secure and safe from APTs like Evilnum:
According to Malwarebytes Labs, there aren’t any UK based immigration organizations (including those focused on helping Ukrainians) who have been targeted by attacks similar to what we previously mentioned. However, those kinds of organizations are certainly targets for a threat actor looking to cause serious damage.
Sometimes the cyber security community can spend too much time focused on threat actors who are making headlining news. While it’s important to keep up with what’s current, it’s equally important to pay attention to the threat groups who aren’t making a big splash with the media.
Evilnum is a threat actor that has flown under the radar since 2018 but has made a big impact regarding their attacks. Their attacks are very targeted but are not numerous. They also use legitimate tools in their attack chain. Those two incredibly calculated tactics are why Evilnum has been able to go undetected for so long.
When lesser-known threat groups and APTs like Evilnum pivot and evolve, it’s important to take note. This generally means that the group has a deeper plan and it’s only a matter of time before they make a major move and cause irreversible destruction. It's imperative that cyber security researchers be proactive and stay ahead by keeping a close watch on threat actors who lay low but are persistent and consistently active.
APTs like Evilnum can fly under the radar and go undetected for years before causing destruction to an organization’s network or system. Avertium is here to keep your organization safe and to mitigate any attacks caused by APTs like Evilnum:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.