The Evilnum hacking group has been found to use advanced hacking tools of other well-known criminal collectives like Cobalt, FIN6 and others. This particular hacking group has been running high-impact campaigns in the past and has been active since at least 2018 when their first major attacks were detected.
Advanced Hacking Tools By Cobalt, FIN6 and Others Are Now Used By The Evilnum Hackers
The Evilnum hackers have been spotted to be running another major campaign against targets from all over the world. Traditionally they have organized attacks against financial organizations and companies including modern fintech startups, as well as online trading and investment platforms. The main goal of the criminals is to access sensitive financial data on the servers. The following type appears to be the focus of the hackers:
- Documents and spreadsheets that contain investment and trading operations
- Presentations that contain internal company operations
- Trading software credentials, accounts and licenses
- Google Chrome cookies and session information
- Login data for email accounts
- Private users payment card data and proof of identity
The attacks are made by sending out phishing email messages which are prepared in bulk and sent to the target users. Common tactics are followed such as the impersonation of famous services and companies: notifications, newsletters and other kind of content will be prepared by the hackers. In these email messages LNK shortcut files will be attached which pretend to be image files – this is done by using the hidden double extension technique — a file will be masked as one file type, but instead be of another. In this case when the users start it a JavaScript code will be run. This initial delivery technique will start a decoy file and then delete the LNK. The decoy file is used to deploy the intended malware.
In the case of the Evilnum group various malware that have previously been developed and/or used by Cobalt, FIN6 and other criminals are delivered using this approach.
How Well-known Hacking Tools Are Being Used By The Evilnum Gang
A custom spying module called Evilnum is featured in the detected campaign which is used to spy on the victims when it is run. Multiple Python based scripts and tools and malware are also utilized during the detected samples. One of the noteworthy malware is the use of the Golden Chicken malware — a Malware-as-a-service (MaaS). This is a hacking toolset that is used by various criminals which is purchased like a subscription service.
In order to make it more difficult to track the malware activity the command and control servers do not have domain names, but are set in the virus as direct IPs. The list is pulled in from sources such as GitHub, GitLab and Reddit — they are maintained by the hackers using specially created accounts for this purpose. The full list of malware that is deployed shows that the following viruses will be used by the Evilnum hackers:
- TerraRecon — An information gathering hacking tool that is programmed to look for specific hardware and software instances. The malware is focused on targeting retail and payment service providers and appliances.
- TerraStealer — This is an information stealer which is alternatively known as SONE or StealerOne VenomLNK which is assumed to be part of the VenomKit kit.
- TerraWiper — This is a dangerous tool that is designed to delete the Master Boot Record (MBR). When this is done the victims will be unable to boot their computers properly.
- TerraCrypt — This is a dangerous ransomware which is alternatively known as PureLocker which will encrypt target user files with a strong cipher and then blackmail and extort the victims for a cryptocurrency payment. This ransomware is compatible with all modern desktop operating systems: Microsoft Windows, macOS and Linux.
- TerraTV — This malware will hijack TeamViewer applications.
- lite_more_eggs — This is a reduced version of a malware loader.
It is evident that such complex attacks will continue to be organized against high-impact targets.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: