APT Group Targeting FinTech Sector Changes Method of Attack

Written by

APT group Evilnum, known for its targeting of financial technology companies via fake know your customer (KYC) documents, has undergone a significant change in tactics and armory recently that the FinTech sector must be made aware of, according to an investigation by Cybereason.

First identified back in 2018, Evilnum has upgraded its attack capabilities on multiple occasions. Its main purpose is to spy on its infected targets and steal information such as passwords, documents, browser cookies and email credentials.

Typically, Evilnum’s infection chain would begin with spear-phishing emails that deliver zip archives containing LNK files masquerading as images, which then drop a JavaScript Trojan with different backdoor capabilities.

According to Tom Fakterman, threat researcher at Cybereason, the group’s infection procedure has changed substantially in recent weeks. Instead of delivering four different LNK files in a zip archive that will be replaced by a JPG file, only one LNK is archived, which masquerades as a PDF containing several documents such as utility bills and credit card photos.

When the LNK file is executed, a JavaScript file is written to disk and executed, replacing the LNK file with a PDF. This version of the JavaScript is the first stage of the infection chain, which leads to the delivery of a new Python Rat developed by Evilnum, which has been dubbed PyVil RAT.

This new Python Rat was found to have several functionalities including keylogger, running cmd commands, taking screenshots and opening an SSH shell. It can also deploy new tools, adding further functionalities for the attack when needed.

Fakterman said: “This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow.”

In addition, Cybereason revealed Evilnum has ramped up its infrastructure recently, with the list of domains associated with its C2 IP address, which changes every few weeks.

Despite these changes, Fakterman noted that “the primary method of gaining initial access to their FinTech targets stayed the same: using fake KYC documents to trick employees of the finance industry to trigger the malware.”

Speaking to Infosecurity, Fakterman commented: “Evilnum has gone to great lengths to evade prevention-focused security tools which underscores the need for organizations to invest in effective detection and response capabilities that allow for deep threat hunting on the network in order to identify threats designed to bypass initial layers of security.

“In addition, enterprises should provide their employees with regular security awareness training to better them for cyber-risks such as phishing. Also, employees should never open attachments from suspicious sources or visit dubious websites and should send suspicious emails to the IT/security team for vetting.”

What’s hot on Infosecurity Magazine?