How hackers are updating the EVILNUM malware to target the global financial sector
Hackers behind a series of targeted financial attacks have been updating their malware to better evade detection over the last year, according to new Prevailion research slated to be published Wednesday.
Since at least February 2019, the hackers, who have begun impersonating CEOs and banks in their lure documents, have introduced at least seven updates to the malicious software known as EVILNUM, which enables attackers to upload and download files, harvest tracking cookies, and run arbitrary commands.
While internet scammers frequently masquerade as corporate executives to tempt victims into clicking on malware, attackers behind EVILNUM are rapidly working to make their tools more obscure. The unknown attackers began rolling out the newest version of the EVILNUM malware three days ago. By press time, the hacking tool only was detected by eight of the 59 vendors on VirusTotal, a malware-sharing repository indicating many common software security vendors are not capable of protecting against this group’s techniques.
The prior version of EVILNUM, number 3.6, only was detected by six of the vendors on VirusTotal. Details about the latest hacking tool were shared exclusively with CyberScoop prior to their publication.
“It shows there’s an ongoing evolution of this kit,” said Danny Adamitis, director of intelligence analysis at Prevailion. “I believe this is one of the more advanced financial crime actors that we’ve seen.”
While EVILNUM has been used in conjunction with a remote access trojan (RAT), called Cardinal RAT, in campaigns against financial technology targets primarily located in Israel, according to Palo Alto Networks, it is not clear that EVILNUM has a specific geographic focus, Adamitis said.
In perhaps the most notable indication that attackers are updating their strategies based on their surroundings, version 3.6 was specifically updated so it could bypass two popular antivirus tools from BitDefender and Avast. A previous version of EVILNUM accounted for BitDefender, but not Avast, according to Prevailion.
Attackers also have been using a registry key that changes location based on the antivirus product victim machines are using so the malware can maintain persistence even when targets reboot their computers.
Within the past year, Prevailion also has observed that hackers have built in an elaborate obfuscation technique that functions as a kind of “dead drop” for infected machines to communicate back with the attacker-controlled server. To create this kind of one-way communication, EVILNUM hackers have begun using remote web pages through GitLab and Digital Point, a web forum, to serve as the “dead drop” sites.
These web pages identify the command-and-control server node, an additional step in communications that could make attribution and detection more difficult, according to Adamitis.
The lures
Victims targeted by version 3.6 received a link to a URL hosted on Google Drive, where they were presented with a zip file, meant to compress large files or several files. When victims click through, they download attacker-manipulated documents with information on real financial figures that could presumably be setting up an account with financial services organizations.
So far, the documents have impersonated a small circle of individuals including the CEO of a bank in a British territory, an investment company in England, a financial executive in Canada, and an individual from Finland working for a managed cloud services provider.
“Given the nature of these lures, Prevailion suspects with moderate confidence these efforts were targeted towards select financial institutions rather than wide-scale spamming,” the researchers note.
Although it is unclear exactly what the hackers’ ultimate goals are, Adamitis suspects there is a second stage of the attack.
Once unzipped, the malware is capable of bringing files from the attacker-controlled server, converting strings of data into bytes, and receiving binary data, which could indicate there’s a second stage payload or malicious file to this attack that isn’t visible — yet.
“We saw a number of functions that just make me believe that there’s more to this,” Adamitis told CyberScoop. “It made me believe this wasn’t the end all be all, that it was just to get the lay of the land.”