Evilnum APT Targeting United Kingdom and Europe

Industries: Financial Services, Government | Level: Tactical | Source: Zscaler

Zscaler's ThreatLabz have been tracking activities of the Evilnum APT group since the start of 2022. The threat group has been targeting entities in the United Kingdom and Europe, primarily focusing on financial service organizations, specifically those associated with trading and compliance. However, Zscaler has also observed the threat group targeting an intergovernmental organization involved with international migration services in March 2022. In 2021, the threat actor was commonly observed utilizing LNK shortcut files in their attacks, the group recently transitioned to Microsoft Office documents. The artifacts left by the threat actors have been named carefully "to spoof legitimate Windows and other legitimate third-party binaries' names." Initial access begins with a phishing email containing the malicious document, as an attachment or link to download, upon opening the victim will be asked to enable macro contents. Key aspects of the infection, Zscaler captured involved "Macro-based documents used in the template injection stage leveraged VBA code stomping technique to bypass static analysis and to deter reverse engineering. A heavily obfuscated JavaScript was used to decrypt and drop the payloads on the endpoint. The JavaScript configured a scheduled task to run the dropped binary. This JavaScript has significant improvements in the obfuscation technique compared to the previous versions used by EvilNum APT group." Evilnum APT group's network infrastructure has not been identified by security vendors, demonstrating the group's proficiency to operate stealthily.

Anvilogic Scenario:

• Evilnum APT - Malicious Document - Infection Chain

Anvilogic Use Cases:

• Rare executable from Microsoft Office
• Suspicious process Spawned by Java
• Executable Process from Suspicious Folder