TA4563 group leverages EvilNum malware to target European financial and investment entities

A threat actor tracked as TA4563 is using EvilNum malware to target European financial and investment entities.

A threat actor, tracked as TA4563, leverages the EvilNum malware to target European financial and investment entities, Proofpoint reported. The group focuses on entities with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi).

The EvilNum is a backdoor that can allow attackers to steal data and load additional payloads, it implements multiple components to evade detection.

The TA4563 group is targeting various entities in Europe since late 2021.

Proofpoint researchers state their analysis has some overlap with EvilNum activity publicly reported by Zscaler in June 2022.  

The analysis of a campaign that started in December 2021 revealed that the attackers used messages purported to be related to financial trading platform registration or related documents. The attackers also used weaponized Microsoft Word documents used to install an updated version of the EvilNum backdoor.

“These messages used a remote template document that analysts observed attempting to communicate with domains to install several LNK loader components, leveraging wscript to load the EvilNum payload, and a JavaScript payload that was ultimately installed on the user’s host.” reads the analysis published by Proofpoint. “These lures contained a financial theme, suggesting on one occasion that the intended victim needed to submit “proof of ownership of missing documents”.”

In early 2022, the threat actors continued to target European financial entities but used different techniques. The malspam messages attempted to deliver multiple OneDrive URLs that contained either an ISO or .LNK attachment.

In other campaigns, the messages were delivering a compressed .LNK file.

In Mid 2022, threat actors changed again its technique and started delivering Microsoft Word documents to attempt to download a remote template to start EvilNum infection.

“EvilNum malware and the TA4563 group poses a risk to financial organizations. Based on Proofpoint analysis, TA4563’s malware is under active development. Although Proofpoint did not observe follow-on payloads deployed in identified campaigns, third-party reporting indicates EvilNum malware may be leveraged to distribute additional malware including tools available via the Golden Chickens malware-as-a-service.” concludes the report. “TA4563 has adjusted their attempts to compromise the victims using various methods of delivery, whilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TA4563)

[adrotate banner=”5″]

[adrotate banner=”13″]