{"id":1433,"date":"2023-09-08T02:37:19","date_gmt":"2023-09-08T02:37:19","guid":{"rendered":"https:\/\/cyberthreatintelligencenetwork.com\/?p=1433"},"modified":"2024-06-10T23:35:17","modified_gmt":"2024-06-10T23:35:17","slug":"potential-new-evilnum-campaign","status":"publish","type":"post","link":"https:\/\/cyberthreatintelligencenetwork.com\/index.php\/2023\/09\/08\/potential-new-evilnum-campaign\/","title":{"rendered":"Potential New EvilNum Campaign"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

CTIN has discovered a new campaign that appears to be associated with previous malicious infrastructure attributed to Evilnum. EvilNum is an advanced persistent threat (APT) group that is characterized by an evolving toolkit and sector-specific and geographic-specific targeting. ESET performed an in-depth technical analysis on observations they made between 2018 and 2020. [1]<\/a> \u00a0More recently CyberReason has described one of their newest tools called PyVil Remote Access Trojan (RAT).[2]<\/a> \u00a0This is a RAT written in the popular Python programming language.\u00a0 And, as the reader will see in my subsequent analysis, this new campaign appears to be using a compiled version of Python modules (with the .pyd extension).\u00a0 Based on the targeting patterns and the technical analyses from previous researchers we hypothesize that the artifacts we have surfaced provide evidence of a new and currently active EvilNum campaign.\u00a0<\/p>

Based on the current evidence EvilNum is focusing on specific targets in the financial services sector in EU countries and the UK. They are particularly interested in banking and financial technology companies and are taking advantage of Know Your Customers (KYC) rules that require these companies to collect personally identifying information (PII) from their customers.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Targeting<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

In their past campaigns high value targets like customer service representatives and KYC screeners at leading banks and financial institutions are targeted through carefully crafted phishing emails that include a link to a downloadable file. This file appears as a bundle of shortcuts that, when opened, secretly run harmful software in the background while also showing a fake document to distract the user. To further deceive the user, shortcut files are named in a way that makes them look like harmless documents or images. This trick is especially effective on Windows computers, where the type of file is usually not shown, making it easier for the user to be fooled into opening it.<\/p>

In the current campaign we have not been able to corroborate this method of social engineering. However, through our hunting using network artifacts on threats to upcoming EU-related elections we identified some cyber observables that led us to artifacts that have been associated with past EvilNum campaigns.\u00a0 What we uncovered was an IPv4 and an IPv6 address that resolved to a RU domain name that embedded the word \u2018android\u2019. The IPs of interest are:<\/p>