ESET Specialists discovered Evilnum spyware aimed at fintech companies and their customers and talked about the activity of the eponymous hacker group that existed in 2018.
According to researchers, the largest number of Evilnum attacks is concentrated in the EU and the United Kingdom, several attacks are also recorded in Canada and Australia.
Malvar Evilnum is focused on the theft of all kinds of confidential data. Like many other financial hackers, this group seeks to infiltrate corporate networks, gain access to credentials and steal valuable financial information, which can then be used for fraudulent purchases or sold in bulk to other criminals. So, Evilnum is interested in:
- information about bank cards of clients and identification documents;
- spreadsheets and documents with customer lists, information about investments and trading operations;
- internal company presentations;
- software licenses and credentials for trading software / trading platforms;
- Email credentials
Evilnum operators can also collect information related to the IT infrastructure of the victim company, such as VPN configurations.
Interestingly, according to ESET, behind the development of the malware for the Evilnum group, there are hackers from the Golden Chickens group working according to the malware-as-a-service scheme. These same people are suppliers of malware for such well-known hack groups as FIN6 and Cobalt.
Their tools include ActiveX components (OCX files) containing TerraLoader, and a dropper for other malicious programs available to Golden Chickens clients (for example, the More_eggs backdoor and complex RAT malware).
“We believe that FIN6, Cobalt and Evilnum are not the same thing, despite all the coincidences in their toolkits. It just so happened that these groups have the same MaaS provider, ”experts write and say that so far the Evilnum group can hardly be connected with other well-known APTs.
Bait files, in turn, are disguised as very interesting things and supposedly written by representatives of technical support and customer service managers. As a rule, they represent various KYC-information (Know Your Customer): photographs of bank cards, identification documents or accounts with confirmation of address, as many financial institutions require their customers to provide such data.
The main payload of Evilnum is aimed at collecting various confidential information already mentioned above, including theft and sending to the management server passwords stored in Google Chrome, cookies from Google Chrome, as well as saving screenshots.