A hacking group has reportedly introduced new trojan malware that aims to target Fintech service providers. The malicious scripts have been created to gain access to people’s email accounts, steal their passwords and business-related information. The malware scripts have been added to code that has been taken from legitimate software apps.
As covered, these attacks have been carried out by Evilnum, an advanced and persistent threat group, which has been targeting UK-based Fintech companies and others throughout Europe since 2018. Evilnum uses “spear-phishing” emails and various social engineering tactics to initiate their cyberattacks, according to ESET, an online security company.
Evilnum has been quite effective at infecting computers with malware because it keeps changing and updating its scripts and other tools, so virus protection programs may not be able to recognize new threats immediately. Evilnum also uses many different tactics to target victims’ computer systems. The hacking group usually goes after Fintech firms based in Europe and the UK, however, some victims are based in Australia and the Americas.
Referred to as PyVil RAT by Cybereason (which first detected the threat), the trojan lets attackers steal sensitive business information by secretly using keyloggers and also by taking screenshots, without the victim knowing what’s going on.
The new malware can also gather critical information about the infected computer systems, such as the Windows or operating system version that’s being used by the victims’ computer. The malicious scripts are also able to determine which anti-virus products, if any, are installed on targeted computers, and whether there are any connected USB devices.
The phishing emails sent to the victims claim that they are handling official ID documents associated with banking accounts. They may also include details related to utility bills, credit card information, and drivers license photos.
But these are all corrupt or infected files, and if someone clicks or opens them, then the malicious script will begun running on the victims’ computers. The compromised machines then become the target of Evilnum’s command and control servers. The hackers are then able to steal private and sensitive information from the affected computers by issuing commands remotely, without the victim knowing what has happened.
Tom Fakterman, a cybersecurity researcher working at Cybereason, told ZDNet:
“This tactic works to their advantage in several ways, including avoiding detection and maintaining persistence – the abuse of legitimate code is more common with more sophisticated actors. We still see samples of the malware pop up and we see that the threat actors infrastructure is still active. The best way of protection is education, improving security hygiene and teaching employees not to be duped into opening phishing emails and not downloading information from dubious websites.”