NSFOCUS Security Labs detected a string of related phishing attacks recently. The analysis confirmed that these activities were staged by the APT group Evilnum and they were a continuation of the group’s recent operation DarkCasino.
This round of cyberattacks occurred in late July and lasted until early August. Evilnum attackers maintained consistent attack methodology and tools during the campaign. They continued to employ decoy files of PIF type and compressed type, design attack chains based on the self-developed DarkMe trojan, and use various third-party tools. DarkCasino was an APT operation observed by NSFOCUS Security Labs, mainly aimed at western European countries in the Mediterranean region and targeting cash flows in online transactions. For more information, refer to Operation DarkCasino: In-depth Analysis of Attacks by APT Group Evilnum.
About APT Group Evilnum
Evilnum is a financially motivated threat group that has been active in the UK and Europe since 2018. The group mainly targeted online trading platforms by stealing transaction credentials for the cash in the accounts of both parties.
The group is named after a trojan called Evilnum, whose alias is DeathStalker.
Its typical attack method is to disguise malicious programs as customer identification documents, trick trading platform employees into running these programs, and then steal valuable information on victim hosts by implanting spy trojans.
Evilnum has strong development capabilities and can design complex attack flows and components. NSFOCUS Security Labs had ever observed and disclosed multiple attack flows that were launched by the group with a high completion rate and various self-developed trojans.
Evilnum attackers still targeted online transactions in this campaign.
The name of decoy documents captured by NSFOCUS Security Labs revealed the attack tendency.
Table 1 Decoy file names
These lures were disguised as common transaction documents such as bills, lists, and invoices to attack operations staff. Part of the keywords indicated that the targets could collect cryptocurrency payments.
These characteristics are similar to those in previous operations of the Evilnum group. The group usually uses such lures to attack online transaction systems, aiming to steal money from the accounts of both transaction parties. Targeted industries include online banking, Internet finance, cryptocurrency platform, online entertainment, and others.
The typical attack flow used in this campaign was similar to attack flow B in Operation DarkCasino, with some adjustments.
Figure 1. Attack flow A
Attack flow A shown in the above figure was used in the campaign in late July. A downloader trojan with double extensions was packaged in a compressed file and delivered to the victim, tricking the victim into running the trojan. Then the next-stage trojan bCMLm.exe placed in http[:]//102.37.220[.]234/htdocs/ was downloaded.
bCMLm.exe was a dropper trojan, and it dropped three built-in files to the %TEMP% system directory and executed the UI.exe file.
After lddAw.exe was executed, the E.ocx library file was loaded to read hidden data in the bump.bmp steganographic image file. The hidden data was the ShellRunDllVb.dll file that was loaded and executed by E.ocx.
ShellRunDllVb.dll is a DarkMe trojan that was frequently used by the Evilnum group, and it can execute file operations and CMD commands. ShellRunDllVb.dll communicated with the C&C server c9spus[.]com:333.
In early August, Evilnum attackers adjusted the attack flow by simplifying the download part of remote files and delivering a dropper trojan as a shortcut file.
Figure 2. Attack flow B
In attack flow B shown in the above figure, the initial stage payload was disguised as a PIF shortcut. Its double extensions misled victims into viewing it as a PDF file. The payload was a dropper trojan. It dropped three built-in files in the %TEMP% system directory and then executed the lddAw.exe file. The subsequent process was almost the same as that used in late July.
In addition, Evilnum attackers used large numbers of third-party trojans such as AgentTesla and FormBook, which were delivered in a way similar to attack flow B. These third-party trojans have powerful data theft ability and can help attackers steal more valuable information like credentials.
This round of attack activities demonstrates that the Evilnum group is vigorous and has a clear division of labor. Evilnum developers constantly iterate attack tools to enhance performance and confrontation abilities. Evilnum attackers keep trying different methods to deliver trojans and rapidly adjusting the execution for better attack results. As Evilnum continues to expand its targeting scope, ordinary users who conduct online transactions should be vigilant of such attacks to prevent personal information leakage and resulting property damage.
Indicators of Compromise (IoCs)