Evilnum APT Hackers Group Attack Windows Using Weaponized Word Documents

Researchers from ThreatLabz uncovered Evilnum, an APT threat actor, is once again up to its old tricks targeting European financial and investment institutions, with some signs of renewed activity.

Using Evilnum, data can be stolen or additional payloads can be loaded into the system. In addition to evading detection, the Evilnum malware also modifies infection paths based on the antivirus software that was identified.

A number of organizations are targeted by this program, including those operating in the following sectors:-

  • Foreign exchange
  • Cryptocurrency
  • Decentralized finance (DeFi) 

Apparently, a recent spate of attacks began in the latter part of 2021, which is a few months after the last one.

EHA

Attack flow

In the wider cyber-security community, Evilnum is known by the names TA4563 and DeathStalker, and it has been active since 2018. As a result, it has a chain of infections that culminates in the deployment of the eponymous backdoor which can do the following activities:- 

  • Reconnaissance
  • Data theft
  • Fetching additional payloads

During the latest round of activities, revised TTPs have been incorporated, which combine a variety of approaches, including: 

  • Microsoft Word
  • ISO
  • Windows Shortcut (LNK) files

A spear-phishing email was sent to the victims that contained all of these files as attachments. 

In late 2022, researchers spotted a variety of variants of the campaign, including those that used financial inducements to entice recipients to open malicious ZIP archives attached with malicious .LNK files.

The method of distributing Word documents was once again changed in mid-2022, to include a mechanism that endeavors to fetch a remote template and connect to a domain controlled by the attacker.

Organizations with an interest in cryptocurrency, particularly those based in Europe are very likely to become affected by TA4563 activities. 

In accordance with this, the cybersecurity experts have strongly recommended that they monitor all the illicit activities of the group TA4563 in the coming days to avoid malicious attacks.

“TA4563’s malware is under active development. Although Proofpoint did not observe follow-on payloads deployed in identified campaigns, third-party reporting indicates EvilNum malware may be leveraged to distribute additional malware including tools available via the Golden Chickens malware-as-a-service.” Proofpoint researchers said.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.