December 27, 2024

The advanced persistent threat (APT) actor tracked as Evilnum is once again exhibiting signs of renewed activity aimed at European financial and investment entities.

“Evilnum is a backdoor that can be used for data theft or to load additional payloads,” enterprise security firm Proofpoint said in a report shared with The Hacker News. “The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.”

Targets include organizations with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). The latest spate of attacks are said to have commenced in late 2021.

The findings also dovetail with a report from Zscaler last month that detailed low-volume targeted attack campaigns launched against companies in Europe and the U.K.

Active since 2018, Evilnum is tracked by the wider cybersecurity community using the names TA4563 and DeathStalker, with infection chains culminating in the deployment of the eponymous backdoor that’s capable of reconnaissance, data theft, or fetching additional payloads.

The latest set of activities flagged by Proofpoint incorporate updated tactics, techniques, and procedures (TTPs), relying on a mix of Microsoft Word, ISO, and Windows Shortcut (LNK) files sent as email attachments in spear-phishing emails to the victims.

Other variants of the campaign spotted in early 2022 have made use of financial lures to entice recipients into opening .LNK files within malicious ZIP archive attachments or clicking on OneDrive URLs containing either an ISO or LNK file.

In yet another instance, the actor switched up the modus operandi to deliver macro-laden Microsoft Word documents that drop obfuscated JavaScript code designed to launch the backdoor binary.

This methodology was once again changed in mid-2022 to distribute Word documents, which attempt to retrieve a remote template and connect to an attacker-controlled domain. Regardless of the distribution vector employed, the attacks lead to the execution of the Evilnum backdoor.

Although no next-stage malware executables were identified, the backdoor is known to act as a conduit to deliver payloads from the malware-as-a-service (MaaS) provider Golden Chickens.

“Financial organizations, especially those operating in Europe and with cryptocurrency interests, should be aware of TA4563 activity,” Sherrod DeGrippo, vice President of threat research and detection at Proofpoint, said in a statement. “The group’s malware known as Evilnum is under active development.”