EvilGrab is a threatening family that has received considerable attention because of its involvement in recent attacks against high profile targets in the Asia Pacific region. EvilGrab infections are damaging backdoor Trojans that may be used to steal information from infected computers. EvilGrab attacks are typically carried out against very specific targets rather than in widespread malware attacks designed to infect as many computer users as possible. Typically, criminals will try to target specific individuals or computers in government offices throughout the Asia Pacific region using phishing email messages specifically designed to trick these computer users into downloading and installing EvilGrab on their computer. The main purpose of EvilGrab is to steal data from the affected computer. If you are involved in a government organization in the Asia Pacific region or if you suspect that your computer has been exposed to EvilGrab, ESG security researchers strongly recommend the use of a strong anti-malware application to disinfect your computer.
The Main Target of EvilGrab are China and Japan
EvilGrab attacks are mainly aimed at government sector offices in China and Japan. EvilGrab attacks spread using phishing email messages that contain an attached DOC file. Although DOC files are usually Microsoft Word documents, it is possible for criminals to take advantage of known vulnerabilities in these types of files to embed a risky DLL and EXE files which may execute unsafe code on the victim's computer when that file is open. Although most computer users know to avoid executable email attachments or files contained in ZIP or RAR archives, many computer users do not know that threats may also be distributed in the form of DOC or even PDF files and are more likely to open this type of email attachment if the accompanying email is worded convincingly.
EvilGrab is made up of three main components, two DLL files and an EXE file that installs the other two. EvilGrab installs a backdoor on the victim's computer which is contained in one of the DLL files. The other DLL file is used to load the backdoor component whenever the victim's computer starts up. Once these have been installed, the EXE file is deleted from the victim's computer as a way of preventing detection and removal of EvilGrab. The purpose of EvilGrab is to steal information such as account passwords and even audio and video files.