Evilnum: APT group targets fintech platforms with tailored malware

Evilnum (APT TA4563) is a hacking group that has been active since at least 2018. This group primarily targets financial institutions, particularly those that use fintech platforms. Evilnum is known for using a variety of tactics to carry out their attacks, including social engineering, spear-phishing, and malware. They are also known for their use of custom-built malware that is designed specifically to target fintech platforms. The main goal of the group is to spy on its infected targets and steal information such as passwords, documents, browser cookies, email credentials and more.

Evilnum begin their attacks by sending a malicious Word document to their victim via spear phishing emails with rogue attachments. When the Word document is opened, a message is displayed claiming that the document was created in a later version of Microsoft Word. A macro template from the attacker-hosted domain, which contains the main malicious macro code, displays the decoy content. It makes use of VBA code stomping technique which destroys the original source code and only a compiled version of the VBA macro code is stored in the document.

After the victim enables editing, an obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader before creating a scheduled task. To assist in avoiding detection, file system artefacts are created during execution, which are designed to imitate real Windows binary names.

Evilnum’s goal is to create a backdoor on infected systems, while machine screen grabs are taken and sent back to the threat actors via POST requests with the exfiltrated data now being in encrypted form. The backdoor loaded on the infected systems are capable of performing tasks like decrypting backdoor configurations, creating data exfiltration string to send as a portion of the beacon request and encoding and encrypting the string with Base64.

Evilnum has targeted industries including banking, payments, trading and immigration organizations in countries like United States, Canada, United Kingdom, Australia, and Singapore, among others.

For more information and actionable recommendations, download SISA’s detailed technical advisory on Evilnum APT.