Proofpoint's threat research team has observed the hacker group, dubbed TA4563, targeting various European financial and investment firms with the EvilNum malware
EvilNum is a backdoor that can be used to steal data or download additional malware payloads. The most recently observed campaigns by the group exclusively targeted companies from the decentralized finance sector (Decentralized Finance: DeFi). Previously, however, organizations involved in the foreign exchange business or trading in cryptocurrencies also came into the crosshairs of the attackers.
DeathStalker or EvilNum at work
During its investigation, Proofpoint found that TA4563's activities partially overlap with attacks commonly associated with a group known as DeathStalker or EvilNum. Some of the activity observed by Proofpoint also overlaps with EvilNum attacks described by Zscaler in June 2022.
The campaigns now identified by Proofpoint's security experts distributed an updated version of the EvilNum backdoor in late 2021 and early 2022. The criminals used a mixture of different types of attacks using ISO, Microsoft Word and link files (LNK). This was probably intended to test the effectiveness of the dissemination methods.
“Financial firms, particularly those dealing in cryptocurrencies in Europe, should be aware of TA4563’s activities. The group's malware, known as EvilNum, is under active development, and Proofpoint is observing that cybercriminal activity is not slowing down,” commented Sherrod DeGrippo, Proofpoint's vice president of threat research and detection.
course of the campaigns
Proofpoint observed the first campaign in December 2021. The messages sent by TA4563 purported to be related to financial platform registration or related documents. Microsoft Word documents were used to distribute an updated version of the EvilNum backdoor.
In early 2022, the group continued to target financial companies with a new variation on the original email campaign, using multiple OneDrive URLs pointing to either an ISO or .LNK file. To do this, the attackers used a financial lure to trick the recipient into running the EvilNum payload. Subsequent campaigns also sent a compressed .LNK file as an additional distribution channel for EvilNum.
While the hacking group maintained its objective midway through this year, its methodology changed again. In the mid-2022 campaigns, TA4563 distributed Microsoft Word documents designed to download a remote template. The attached document generated file exchanges with the domain "http://outlookfnd[.]com" which is likely controlled by the cyber criminals related to EvilNum.
Danger from EvilNum
EvilNum malware and the TA4563 group pose a real threat to financial organizations. According to Proofpoint's analysis, the TA4563 malware is still in active development. Although the security experts have not yet observed a follow-up payload, reports from other security researchers indicate that EvilNum malware could be used to do so. TA4563 has adapted its attempts to trap victims using a variety of methods. As such, organizations should remain vigilant and educate their employees to keep up with the ever-changing tactics and tactics of cybercriminals.
More at proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.