A threat actor tracked as Evilnum targeted financial technology companies, mainly the British and European ones, ESET researchers reported.
Evilnum threat actor was first spotted in 2018 while using the homonym malware. Over the years, the group added new tools to its arsenal, including custom and homemade malware along with software purchased from the Golden Chickens malware-as-a-service (MaaS) provider.
The group aimed at harvesting financial information from financial technology companies, such as trading platforms. Most of the targets are located in EU and in the UK, but experts also observed attacks against companies in Australia and Canada.
“The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.” reads the report published by ESET. “Some examples of the information this group steals include:
- Spreadsheets and documents with customer lists, investments and trading operations
- Internal presentations
- Software licenses and credentials for trading software/platforms
- Cookies and session information from browsers
- Email credentials
- Customer credit card information and proof of address/identity documents”
ESET believes that the hackers are using documents collected during their current operations to facilitate new attacks in which decoy documents seem genuine.
The JS script would also act as a dropper for additional payloads, including a C# spyware, Golden Chickens components, and Python-based applications.
Threat actors used a dedicated C2 server for each component that is installed via manual commands.
“Despite the differences, the core functionalities remain the same in all versions, including the retrieval of the C&C server’s address from GitHub, GitLab or Reddit pages created specifically for that purpose,” states ESET.
The version 4.0 implements the following capabilities:
- Take screenshots if the mouse has been moved in a period of time, and send them to the C&C, base64 encoded. The image is stored in a file called SC4.P7D
- Run commands
- Run other binaries via cmd.exe
- Send information such as computer name, username and antivirus installed
- Persist in a compromised system by creating registry keys
According to ESET, the Golden Chickens components used by Evilnum are from the TerraLoader family, they include More_eggs, TerraPreter, TerraStealer (also known as SONE or Stealer One), and TerraTV.
Older versions of these components were previously used by the FIN6 APT group in attacks on eCommerce merchants.
Evilnum also uses other post-compromise tools, including Python-based tools (a reverse shell over SSL script, an SSL proxy, LaZagne, and IronPython), and other publicly available tools.
“The Evilnum group has been operating for at least two years and was active at the time of this writing.” concludes ESET.
“This group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have kept its activities largely under the radar. We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group,”
To read the original article: