Evilnum Group targets European and British fintech companies

Pierluigi Paganini July 11, 2020

A threat actor tracked as Evilnum targeted financial technology companies, mainly the British and European ones, ESET researchers reported.

Evilnum threat actor was first spotted in 2018 while using the homonym malware. Over the years, the group added new tools to its arsenal, including custom and homemade malware along with software purchased from the Golden Chickens malware-as-a-service (MaaS) provider.

The group aimed at harvesting financial information from financial technology companies, such as trading platforms. Most of the targets are located in EU and in the UK, but experts also observed attacks against companies in Australia and Canada.

“The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.” reads the report published by ESET. “Some examples of the information this group steals include:

  • Spreadsheets and documents with customer lists, investments and trading operations
  • Internal presentations
  • Software licenses and credentials for trading software/platforms
  • Cookies and session information from browsers
  • Email credentials
  • Customer credit card information and proof of address/identity documents”

Hackers launched spear-phishing attacks against the victims, attempting to trick them into accessing a Google Drive link that pointed to a ZIP file. The archive contains LNK (shortcut) files that extract and execute JavaScript code while displaying a decoy document (usually a photo of an ID, credit card, or a bill to prove the physical address).

ESET believes that the hackers are using documents collected during their current operations to facilitate new attacks in which decoy documents seem genuine.

The JS script would also act as a dropper for additional payloads, including a C# spyware, Golden Chickens components, and Python-based applications.

Threat actors used a dedicated C2 server for each component that is installed via manual commands.


The initial JavaScript could also act as a backdoor even if it has been used only to deploy additional components. Experts observed several variants of the script since May 2018, having different server-side code for the C&C and supporting different commands.

“Despite the differences, the core functionalities remain the same in all versions, including the retrieval of the C&C server’s address from GitHub, GitLab or Reddit pages created specifically for that purpose,” states ESET.

The C# component includes an MSI file that can run independently of the JavaScript and that connects to a different C&C. The most recent variant can take screenshots, run commands and files, send information to the server, and achieve persistence.

The version 4.0 implements the following capabilities:

  • Take screenshots if the mouse has been moved in a period of time, and send them to the C&C, base64 encoded. The image is stored in a file called SC4.P7D
  • Run commands
  • Run other binaries via cmd.exe
  • Send information such as computer name, username and antivirus installed
  • Persist in a compromised system by creating registry keys

According to ESET, the Golden Chickens components used by Evilnum are from the TerraLoader family, they include More_eggs, TerraPreter, TerraStealer (also known as SONE or Stealer One), and TerraTV.

Older versions of these components were previously used by the FIN6 APT group in attacks on eCommerce merchants.

Evilnum also uses other post-compromise tools, including Python-based tools (a reverse shell over SSL script, an SSL proxy, LaZagne, and IronPython), and other publicly available tools.

“The Evilnum group has been operating for at least two years and was active at the time of this writing.” concludes ESET.

“This group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have kept its activities largely under the radar. We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group,”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Evilnum)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment