State-sponsored Evilnum threat group reemerged with better capabilities

July 6, 2022
State-Sponsored Evilnum Threat Group Eeemerged Malware Phishing UK

The sophisticated advanced persistent threat (APT) group, Evilnum, has made its presence known again after gaining upgraded abilities. According to cybersecurity researchers, the threat group had better tricks, techniques, and procedures (TTPs), unlike its previous form back in 2018. The group now sports a more potent and upgraded arsenal for their campaign.

The APT group has now set its sight on several entities, especially the financial sectors based in Europe. Moreover, the most heavily targeted in the continent is the UK.

Last March, the group initiated their comeback by targeting an international organisation affiliated with the global migration department. The cybercriminal campaign utilised a compromised document loaded with macros that contained various filenames. Researchers identified that there are nearly a dozen of such documents.

In addition, the malicious attachment utilises a VBA code stomping and template injection to bypass standard security detections and solutions. Evilnum then registers multiple domain names through specific keywords linked to the industry vertical.

 

The backdoor utilised by the Evilnum APT group is loaded with numerous capabilities and can perform several tasks. One of the abilities is that it can decrypt backdoor configurations.

 

Evilnum can also resolve API addresses from libraries recovered from the backdoor configuration. It can also review mutex and develop a data exfiltration chain to send as a part of the beacon request.

Furthermore, the backdoor can also operate the encoding and encryption string with Base64. Subsequently, the backdoor can embed this string in the cookie header field. After completing the earlier tasks, the backdoor will choose a command-and-control domain to route a series and disseminate a beacon request.

Evilnum backdoor could capture screenshots and send them to the command-and-control server through a POST request, resulting in an encrypted format of the stolen data.

As a reemerging threat, experts recommend that users use the IOCs given by the researchers responsible for monitoring the threat group. The state-sponsored APT group seems interested primarily in cyberespionage attacks. However, the origins of this progressive ongoing threat group are still a puzzle to be completed by researchers.

About the author

Leave a Reply