Evilnum threat actor was first spotted in 2018 while using the homonym malware. Over the years, the group added new tools to its arsenal, including custom and homemade malware along with software purchased from the Golden Chickens malware-as-a-service (MaaS) provider.
The group aimed at harvesting financial information from financial technology companies, such as trading platforms. Most of the targets are located in EU and in the UK, but experts also observed attacks against companies in Australia and Canada.
“The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.” reads the report published by ESET. “Some examples of the information this group steals include:
ESET believes that the hackers are using documents collected during their current operations to facilitate new attacks in which decoy documents seem genuine.
The JS script would also act as a dropper for additional payloads, including a C# spyware, Golden Chickens components, and Python-based applications.
Threat actors used a dedicated C2 server for each component that is installed via manual commands.
“Despite the differences, the core functionalities remain the same in all versions, including the retrieval of the C&C server’s address from GitHub, GitLab or Reddit pages created specifically for that purpose,” states ESET.
The version 4.0 implements the following capabilities:
Older versions of these components were previously used by the FIN6 APT group in attacks on eCommerce merchants.
Evilnum also uses other post-compromise tools, including Python-based tools (a reverse shell over SSL script, an SSL proxy, LaZagne, and IronPython), and other publicly available tools.
“The Evilnum group has been operating for at least two years and was active at the time of this writing.” concludes ESET.
“This group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have kept its activities largely under the radar. We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group,”
(SecurityAffairs – hacking, Evilnum)