Evilnum, an advanced and persistent threat group, has been targeting UK-based Fintech companies and others throughout Europe since 2018. Evilnum uses “spear-phishing” emails and various social engineering tactics to initiate their cyberattacks, according to ESET, an online security company.
The researchers at ESET noted that the threat group has now expanded its targets beyond just UK European Fintechs to others based in Australia and Canada. However, the report didn’t specifically mention the names of targeted firms.
The research team noted:
“According to ESET’s telemetry, the targets are financial technology companies – for example, companies that offer platforms and tools for online trading. Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks.”
The threat actors might be using special versions of malware software, called Evilnum, to carry out these attacks. The malicious scripts have also been referred to as CardinalRAT and CarpDownloader.
These JavaScript malware scripts were first identified a couple years ago, by US-based security firm Networks’ Unit 42. As confirmed in 2018, the malware had been targeting Israeli Fintech firms. The Evilnum malware can steal sensitive information such as customer records, their credit card numbers and even a device’s Microsoft license number.
The spear-phishing emails used by the threat group try to infect devices with the Evilnum malware and various other malicious scripts that may be purchased from various hacking groups.
It’s not clear where the Evilnum group might be based, but the threat group appears to have been successful at targeting Fintechs, Matias Porolli, an ESET threat researcher, stated.
In statements shared with Information Security Media Group, Porolli noted:
“Judging by the fact that the attacks are targeted and the potential victims are approached with specific – not mass-sent – emails, we believe the attackers were successful in their efforts.”
Evilnum has reportedly been sending phishing emails that contain corrupt financial document attachments. Unsuspecting company employees may download these malicious files without knowing that they contain malicious scripts.
When the victim downloads these files, a Zip archive extracts and begins executing malicious programs. The report revealed:
“The documents used as decoys are mostly photos of credit cards, identity documents, or bills with proof of address, as many financial institutions require these documents from their customers when they join, according to regulations.”
The malware then begins to steal private data, which may include customer lists, credit card information and other types of personally identifiable information.
Threat groups are increasingly focusing on large enterprises, following the COVID-19 outbreak, the report noted.
Online security firm Malwarebytes reported that threat groups associated with entities in China, Russia and North Korea have been using various tactics to go after even more victims during the pandemic.
US and UK-based authorities have cautioned that these groups have been using “password spraying campaigns” to go after medical facilities, pharmaceutical firms, academic institutions, and other organizations focused on Coronavirus-related research.