Evilnum hackers



Evilnum is a hacker group that has been targeting fintech companies, mostly those located in the United Kingdom and EU countries, with the goal of spying on targets and stealing financial information, including login details, bank documents, and email credentials, among others.

According to researchers at Cybereason, the Evilnum group has tweaked its infection chain and also deployed a Python RAT called "PyVil RAT," which possesses the abilities to gather personal information via screenshots, capturing keystrokes, and opening of an SSH shell to deploy new tools.

Since the first discovery of the group in 2018 till today, the group's tactics, techniques and procedures (TTPs) have evolved with the different available tools, but the group hasn't deviated from their initial focus on fintech targets.

How Evilnum targets companies with spear-phishing emails



Formerly, the hacker group targeted companies with spear-phishing emails containing a link to a ZIP file hosted on Google Drive, in order to steal customer credit card information, software licenses, and investments and trading documents.

But now, the infection procedure has undergone a major shift, albeit their modus operandi of gaining an initial foothold in a compromised system has remained the same. And by using spear-phishing emails that mimics know your customer (KYC) documents to trick employees of the fintech industry to click the bait into triggering the malware, the attacks have evolved from using Trojans with backdoor capabilities to bare-bones JavaScript dropper which delivers malicious payloads.

These Trojans are hidden in modified versions of legitimate executables which is an attempt to escape detection. And the first phase in this new infection chain, culminates into the delivery of the payload, with a Python written RAT compiled with py2exe that the security researchers dubbed, PyVil RAT.

The Evilnum group avoided using domains in communications with the C2 on previous their campaigns, rather they employed IP addresses, though the C2 IP address changes every few weeks, but the list of domains associated with the IP address is ever growing.

Now, the multi-process delivery procedure, unpacks shellcode to establish communication with an attacker-controlled server upon execution, and receive a second encrypted executable ("fplayer.exe") that serves as the next phase downloader to fetch the Python RAT.

How to Mitigate against the Evilnum attacks



The Evilnum group's TTPs continue to evolve, therefore it's recommended that businesses should be vigilant security-wise and employees should exercise caution when opening emails and attachments, especially from unknown senders, and monitor their emails for phishing attempts.

Evilnum's origins still remain unclear, but there is enough evidence about their constant improvisation of TTPs which has helped them remain under the radar.

PyVil RAT: Python-based remote access Trojan deployed by Evilnum hackers

Evilnum hackers



Evilnum is a hacker group that has been targeting fintech companies, mostly those located in the United Kingdom and EU countries, with the goal of spying on targets and stealing financial information, including login details, bank documents, and email credentials, among others.

According to researchers at Cybereason, the Evilnum group has tweaked its infection chain and also deployed a Python RAT called "PyVil RAT," which possesses the abilities to gather personal information via screenshots, capturing keystrokes, and opening of an SSH shell to deploy new tools.

Since the first discovery of the group in 2018 till today, the group's tactics, techniques and procedures (TTPs) have evolved with the different available tools, but the group hasn't deviated from their initial focus on fintech targets.

How Evilnum targets companies with spear-phishing emails



Formerly, the hacker group targeted companies with spear-phishing emails containing a link to a ZIP file hosted on Google Drive, in order to steal customer credit card information, software licenses, and investments and trading documents.

But now, the infection procedure has undergone a major shift, albeit their modus operandi of gaining an initial foothold in a compromised system has remained the same. And by using spear-phishing emails that mimics know your customer (KYC) documents to trick employees of the fintech industry to click the bait into triggering the malware, the attacks have evolved from using Trojans with backdoor capabilities to bare-bones JavaScript dropper which delivers malicious payloads.

These Trojans are hidden in modified versions of legitimate executables which is an attempt to escape detection. And the first phase in this new infection chain, culminates into the delivery of the payload, with a Python written RAT compiled with py2exe that the security researchers dubbed, PyVil RAT.

The Evilnum group avoided using domains in communications with the C2 on previous their campaigns, rather they employed IP addresses, though the C2 IP address changes every few weeks, but the list of domains associated with the IP address is ever growing.

Now, the multi-process delivery procedure, unpacks shellcode to establish communication with an attacker-controlled server upon execution, and receive a second encrypted executable ("fplayer.exe") that serves as the next phase downloader to fetch the Python RAT.

How to Mitigate against the Evilnum attacks



The Evilnum group's TTPs continue to evolve, therefore it's recommended that businesses should be vigilant security-wise and employees should exercise caution when opening emails and attachments, especially from unknown senders, and monitor their emails for phishing attempts.

Evilnum's origins still remain unclear, but there is enough evidence about their constant improvisation of TTPs which has helped them remain under the radar.

No comments