The United States Cyber Command warned that cybercriminals exploit vulnerabilities in Outlook email client, trying…
Evilnum malware is focused on the theft of all kinds of confidential data. Like many other financial hackers, this group seeks to infiltrate corporate networks, gain access to credentials and steal valuable financial information, which can then be used for fraudulent purchases or sold in bulk to other criminals.
So, Evilnum is interested in:
Evilnum operators can also collect information related to the IT infrastructure of the victim company, such as VPN configurations.
Interestingly, according to ESET, behind the development of the malware for the Evilnum group stand hackers from the Golden Chickens group, working according to the malware-as-a-service scheme. These same people are malware providers for such well-known hack groups as FIN6 and Cobalt.
Their tools include ActiveX components (OCX files) containing TerraLoader, and a dropper for other malicious programs available to Golden Chickens clients (for example, the More_eggs backdoor and complex RAT malware).
“We believe that FIN6, Cobalt and Evilnum are not the same thing, despite all the coincidences in their toolkits. It just so happened that these groups have the same MaaS provider”, — write the experts and note that while the Evilnum group can hardly be associated with other well-known APTs.
Typically, an Evilnum attack involves the following steps: the user receives a phishing email with a link to Google Drive, from which can downloaded a ZIP file. This archive contains several LNK files (shortcuts) that extract and launch a malicious JavaScript component when displaying a bait document.
Bait files, in turn, are disguised as very interesting things, and the letters themselves were supposedly written by representatives of technical support and customer service managers.
As a rule, files are various KYC-information (Know Your Customer): photographs of bank cards, identity documents, or address-confirming bills, as many financial institutions require their clients to provide such data.
Essentially, if a victim opens a malicious document, are launched Evilnum malware, Python tools, and components created by Golden Chickens. For example, the mentioned JavaScript component is able to deploy additional malware in the victim’s system. In addition, each of the components has its own control server and can act independently.
Evilnum’s main payload is aimed at collecting various confidential information, which was already mentioned above, including theft and sending of passwords stored in Google Chrome, cookies from Google Chrome to the management server, as well as saving screenshots.
Cybercriminals are not particularly happy when their actions are detected and even sometimes take revenge – I recall that recently ESET security company became a victim of a DDoS attack.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…