Cybereason: Hackers Leverage ‘KYC’ Procedures to Start Attacks
Diagram showing how Evilnum uses spear-phishing emails to infect devices with the PyVil RAT (Source: Cybereason)
Evilnum, a hacking group that targets fintech firms mainly in the U.K. and Europe, is deploying a new remote access Trojan, according to Cybereason.
Evilnum is expanding its campaigns to other countries, including Canada and Australia, security firm ESET reported earlier (see: APT Group Targets Fintech Companies). The hacking group, which security researchers first discovered in 2018, is known for using spear-phishing emails and social engineering techniques.
In its latest campaign, Evilnum is deploying a new remote access Trojan that Cybereason researchers call PyVil. It’s written in the Python programming language and has capabilities that include keylogging, taking screenshots of infected devices and exfiltrating data. The Trojan can also deploy other malicious tools, such as the LaZagne malware, to steal credentials, Cybereason says.
“The campaign is active as we still see samples of the malware pop up and we see that the threat actors infrastructure is still active,” Tom Fakterman, a threat researcher at Cybereason, tells Information Security Media Group. “Evilnum has successfully maintained a low profile with highly targeted attacks against select fintech targets and has been conservative about infrastructure reuse, so there is not enough evidence to determine the potential number of victims or how successful their operations may be.”
Evilnum is targeting “know your customer” procedures at many fintech firms as a way to gain initial access to devices and networks, Cybereason reports. Financial institutions use these procedures to verify customer information to help prevent illegal activity, such as money laundering.
In the latest campaign, the Evilnum hackers are sending spear-phishing emails to employees at fintech firms who are overseeing the KYC procedures, according to the Cybereason research report.
Fake documents used as part of spear-phishing campaign (Source: Cybereason)
The emails contain zip archives for LNK files – a type of shortcut used in Windows – that appear to contain the documents needed to verify someone’s identity, Fakterman says.
The Trojan then performs various tasks, including keylogging and capturing screenshots, and it collects details, such as what anti-virus products are installed on the device, whether there are any USB devices present and what version of Chrome the victim is using, the researchers discovered.
The RAT can also run commands within an infected device and create an SSH shell that establishes a link with the command-and-control server to steal corporate data.
Fakterman notes that Evilnum is attempting to switch its tactics to avoid detection and keep one step ahead of new security procedures.
“The threat actors have many new tricks up their sleeves as the PyVil RAT is brand new,” Fakterman says. “Additional tricks include a deviation from the infection chain, persistence and infrastructure. Tools observed include modified versions of legitimate executables deployed in an attempt to remain undetected by security tools.”
Links to Other Groups?
A report Kaspersky released in August found links between the malware these Evilnum hackers use and variants that have targeted other organizations (see: Hacking-for-Hire Group Expands Cyber Espionage Campaign).
These connections have led Kaspersky researchers to conclude that Evilnum might belong to another hacking group called “DeathStalker,” which is known to target smaller law firms and financial institutions.