Fraud Management & Cybercrime
Group Now Uses MS Office Word Documents to Deliver Payload
Evilnum, a hacking group primarily targeting fintech firms in the U.K. and Europe, has updated its tactics, techniques and procedures by using MS Office Word documents, leveraging document template injection to deliver the malicious payload to victims’ machines.
See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
In earlier campaigns in 2021 the main distribution vector used by this threat group was LNK files – a type of shortcut used in Windows sent inside malicious archive files as email attachments in spear-phishing emails to victims.
Zcaler’s ThreatLabz researchers say that they have identified several previously undocumented domains associated with the Evilnum advanced persistent threat group; they say that this indicates the group has been successful at flying under the radar and has remained undetected for a long time.
Security researchers discovered Evilnum in 2018 when it was found to be using spear-phishing emails and social engineering techniques to target the financial services sector, particularly companies dealing with trading and compliance in the UK and Europe.
In March 2022, Zcaler researchers say they observed the group targeting an Intergovernmental organization that deals with international migration services, which they describe as a significant update in the choice of targets of Evilnum APT group.
The researchers also saw that the timeline of the attack and the nature of the attack coincided with the Russia-Ukraine conflict.
The APT actors gain initial access to devices and networks by delivering malicious documents using a spear-phishing email campaign. Upon successfully delivering the malicious document, the targeted victim downloads and opens the document which fetches the second stage macro template from the domain hosted by the attackers.
The researchers say that this prompts users to enable the macro content in a displayed decoy content.
The second stage template, the researchers say, contains the key malicious macro code.
“Macro-based documents used in the template injection stage leveraged VBA code stomping technique to bypass static analysis and also to deter reverse engineering,” the researchers say. “This technique destroys the original source code and only a compiled version of the VBA macro code (also known as p-code) is stored in the document.”
The researchers also spotted that the APT group registered multiple domain names using specific keywords related to the industry vertical targeted in each new instance of the campaign.
Backdoors installed in the victims’ infected devices are capable of performing tasks such as decrypting backdoor configurations, resolving API addresses from libraries retrieved from the configuration and conducting mutex check.
They are also able to create a data exfiltration string to send as a portion of the beacon request, encoding and encrypting the string with Base64 and embedding this string inside the cookie header field.
Once these tasks are completed, the backdoor chooses a C2 domain and a route string and sends out a beacon request. The C2 may even respond with a fresh encrypted payload the researchers say.
The backdoors can take screenshots and send them to the C2 server via POST requests, which result in an encrypted format of data exfiltration.
The researchers say they are not certain about the origins of the Evilnum, however, they say, its choice of victims points to a state-backed interest in cyberespionage campaigns.
In a previous campaign, Evilnum was seen expanding its campaigns to other countries, including Canada and Australia, security firm ESET had reported (see: APT Group Targets Fintech Companies).
In one of its campaign from 2020, Evilnum was deploying a remote access Trojan that Cybereason researchers called PyVil. It’s written in the Python programming language and includes keylogging, taking screenshots of infected devices and exfiltrating data. The Trojan can also deploy other malicious tools, such as the LaZagne malware, to steal credentials, Cybereason said (see: Evilnum Hackers Change Tactics for Targeting Fintech Firms).
A Kaspersky report in August 2020 found links between the malware that Evilnum hackers use and variants that have targeted other organizations (see: Hacking-for-Hire Group Expands Cyber Espionage Campaign).
These connections led Kaspersky researchers to conclude that Evilnum might belong to another hacking group called “DeathStalker,” which is known to target smaller law firms and financial institutions.