An adversarial group, known for its focus on the fintech sector since 2018, has updated its tactics by introducing a new Python-based remote access Trojan (RAT) designed to extract sensitive information from compromised systems. The group, identified as Evilnum, has refined its infection strategies and is now deploying the PyVil RAT, capable of stealing passwords, various documents, browser cookies, email credentials, and performing keylogging functions.
Researchers from Cybereason noted that Evilnum’s tactics, techniques, and procedures (TTPs) have evolved significantly over the years. This evolution is evidenced by their deployment of new tools and infrastructure aimed specifically at financial technology targets. Notably, the group has shifted its approach by altering the infection chain while simultaneously enhancing its ability to maintain persistence within compromised networks.
In recent campaigns, Evilnum has targeted businesses across the UK and EU, utilizing backdoors implemented in JavaScript and C#. The group has also made use of tools obtained from Malware-as-a-Service offerings, particularly from a provider known as Golden Chickens. Their previous campaigns included spear-phishing emails that directed recipients to ZIP files hosted on platforms like Google Drive, with the intent of harvesting software licenses and financial documents. While their fundamental approach remains consistent, recent reports indicate a substantial shift in their infection methodology.
Particularly, Evilnum has moved away from JavaScript-based Trojans to a more simplistic JavaScript dropper, which delivers malicious payloads embedded in modified versions of legitimate executables. This change seems to be a strategic attempt to evade detection mechanisms. Researchers emphasize that the new infection chain begins with a JavaScript component leading to the deployment of the PyVil RAT, developed using py2exe.
Once executed, the delivery mechanism named “ddpp.exe” initiates the communication protocol with a command-and-control (C2) server, subsequently receiving an encrypted second executable. This stage functions to download the Python RAT, marking a significant pivot in their operational tactics. Earlier campaigns strictly utilized IP addresses for communication, but the group’s current strategy integrates a growing list of domains associated with their IP address, enhancing their capability to obfuscate communications.
Despite uncertainty regarding Evilnum’s origins, their adaptive tactic repertoire allows them to persist under the radar. As the operation techniques continue to progress, it becomes increasingly critical for businesses to maintain vigilance against such threats. Employees should be especially cautious of email communications and verify the authenticity of attachments, particularly from unfamiliar sources, to mitigate the risks of phishing attacks and malware infiltration.
The potential MITRE ATT&CK techniques associated with these operations include initial access via phishing, persistence through the use of backdoors and malicious payloads, and privilege escalation through the deployment of the RAT. Business owners must remain aware of such evolving threats in the cybersecurity landscape to protect their organizations from financial and data breaches.
