Financial and investment entities are being targeted in an ongoing campaign by attackers deploying the Evilnum malware, which is a known backdoor that can be used to steal data or load additional payloads.
The threat actor behind the activity, which researchers with Proofpoint called TA4563, has specifically targeted European companies with operations supporting foreign exchanges and cryptocurrency, and organizations in the Decentralized Finance (DeFi) industry. The campaign, which shares overlaps with activity by the known Evilnum APT (also known as DeathStalker) reported by Zscaler in June, was first observed in late 2021 and is ongoing.
“The identified campaigns delivered an updated version of the Evilnum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods,” said Bryan Campbell, Pim Trouerbach and Selena Larson, researchers with Proofpoint in a Thursday analysis. “This malware can be used for reconnaissance, data theft, and to deploy additional payloads.”
When the campaign was first observed in December, attackers sent targets email messages that purported to be registrations for financial trading platforms. The messages used a remote template document, which then attempted to communicate with domains that installed LNK loader components. These loader components kicked off the process of downloading the Evilnum backdoor.
“The identified campaigns delivered an updated version of the Evilnum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods."
The campaign evolved slightly over time: In early 2022, researchers observed the group sending emails that attempted to deploy OneDrive URLs containing ISO and .LNK attachments. These emails used lures revolving around financial documentation, including one that reminded victims to submit their proof of identity and address. In a more recent campaign in mid-2022, attackers used lures making an urgent request to victims to send over “proof of ownership” - but in reality the documents attached to the emails took them to what researchers believe was an actor-controlled domain.
“As the threat actor maintained consistent targeting and victimology, the methodology again changed,” said researchers. “In mid-2022 campaigns, TA4563 delivered Microsoft Word documents to attempt to download a remote template.”
From there, the loader executed PowerShell (via cmd.exe) in order to download two different payloads. The first was responsible for executing two PowerShell scripts, including one used to decrypt a PNG that follows logic to restart the infection chain, and one that sent screenshots to a command-and-control (C2) server. The second contained two encrypted blocks that both worked so that an executable decrypted a TMP file in order to load a shellcode file, which finally resulted in a decrypted PE file.
“Several applications are executed depending on what antivirus software – either Avast, AVG, or Windows Defender – is found on the host,” said researchers. “The malware will try and call multiple executables likely already on the host machine (e.g. TechToolkit.exe and nvapiu.exe). The malware execution chain will change to best evade detection from the identified antivirus engine.”
Evilnum can be used for reconnaissance, data theft and for loading follow-on payloads. While researchers did not observe follow-on payloads deployed in the campaigns, they pointed to third-party reporting that shows the Evilnum malware being used to distribute tools available through the Golden Chickens malware-as- a-service.
“TA4563 has adjusted their attempts to compromise the victims using various methods of delivery, whilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts,” said researchers.