Targeting European companies engaged in international migration, the Evilnum hacker gang is displaying symptoms of harmful behavior again.
APT (advanced persistent threat) Evilnum has been operational since at least 2018 and only lately, in 2020, where its campaign and tools made public.
The threat organization used specialized, “homemade” malware to attack businesses in the financial technology industry, according to a technical analysis issued at the time by ESET.
The most recent disclosure was made possible by the efforts of Zscaler experts, who have been following Evilnum’s activity since the start of 2022 and collecting numerous attack artifacts.
Campaign information
Key migration organizations received malicious emails including papers with macros in them at the same time as the Russian invasion of Ukraine.
The campaign’s documents have a variety of filenames, most of which involve the word “compliance.” At least nine distinct papers were found by Zscaler, all of which are referenced in the report’s IoC section.
To avoid detection, the attachment uses the template injection and VBA code stomping techniques, which causes JavaScript to be executed with significant obfuscation.
As a result, a malware loader (“SerenadeDACplApp.exe”), an encrypted binary (“devZUQVD.tmp”), and a scheduled task (“UpdateModel Task”) for persistence are decrypted and dropped.
The loader runs preliminary checks before loading the binary using the name of the extracted file. To avoid AV detection, the binary injection is carried out via the antiquated “Heaven’s gate” method.
Although it has been reduced in Windows 10 by using 64-bit code in 32-bit processes, Evilnum probably still employs this tactic to target computers running earlier OS versions.
The infected system’s loaded backdoor carries out the following actions when it is activated:
The backdoor configuration’s encryption (C2 domains, User Agent strings, network paths, referrer strings, cookies type strings).
Resolves the libraries’ API addresses that were retrieved from the configuration
carries out a mutex check
Constructs the data exfiltration string that will be delivered with the beacon request
Base64-based encryption and encoding of the resulting string
Choose one of the cookie type strings from the configuration to embed the encoded string inside the cookie header field.
The backdoor selects a C2 domain and a path string from the settings after all stages are complete and makes a beacon network request. In response, the C2 can send a fresh encrypted payload.
Additionally, the backdoor extracts stolen data in encrypted form by taking computer snapshots and sending them to the C2 via POST requests.
In light of the fact that Evilnum is still a threat, defenses are encouraged to adopt the IoCs offered by Zscaler to safeguard their networks.
The actor’s origin is still unknown, but its most recent victimology suggests that there is a state-level interest in espionage operations, which experts have previously linked to the Belarusian threat organization “Ghostwriter.”
