After studying the EVILNUM malware, researchers found that this threat is not complex, particularly, but its capabilities are enough to allow the attackers to inject additional payloads into the targeted system, as well as execute arbitrary code. The EVILNUM malware also is able to take screenshots of the user's desktop and active windows. The screenshots are exfiltrated to the C&C server of the EVILNUM threat's operators. This feature would enable the attackers to collect data such as login credentials, information, private conversations, classified documents, etc.
Malware experts have spotted several copies of the EVILNUM malware, which all had slight differences from one another. A variant of the EVILNUM malware, which was released in 2018, did not have the aforementioned ability to take screenshots, while a later version of the threat, spotted in 2019, was fully capable of taking screencaps. This led them to believe that the EVILNUM threat is not an abandoned project but a hacking tool that is receiving regular updates from its creators.
EVILNUM has been used alongside the Remote Access Trojan Cardinal RAT in some campaigns – particularly campaigns against Israeli financial targets – but experts say there is little evidence that the two are connected. There has yet to be any clear evidence that EVILNUM is being deployed against targets in a specific geographical region.
Hiding in Plain Sight
One of the most notable indications the attackers are updating their software to adapt to their surroundings came with version 3.6. The version was created to bypass two particular antivirus tools. The earlier version could get past one of them, but not the other. It could avoid BitDefender before, but not Avast. Now it can get past both.
Attackers have also used registry keys that change location based on the antivirus software on the target machine. This allows the threat actors to maintain a presence on the computer even when the computer is restarted. The virus actually adapts and changes how it works based on the antivirus software.
Security researchers at Prevailion have seen the virus hide behind a unique obfuscation technique that works similar to a "dead drop." The method allows infected computers to establish communication with the C2 server on a one-way basis. The hackers behind EVILNUM use remote web pages through web forums to serve as "dead drop" sites for communication.
The websites find the command-and-control server to make detecting communications even more difficult.
The EVILNUM Lure
Targets of EVILNUM 3.6 were sent a URL link to a Google Drive download. The download was a ZIP file created to compress files. When users download and access the data, they download documents altered by the attacker. The documents have information on real figures that could be creating accounts with financial institutions.
The documents impersonate high-profile people, including the CEO of a British bank, an English investment company, a Canadian financial executive, and an individual working for a managed cloud services provider in Finland. The efforts of the group behind EVILNUM seem to be focused on financial institutions rather than large-scale scams.
It is unclear just what the attackers hope to achieve, but security experts worry about the potential for a second attack stage. The malware is capable of grabbing files from servers controlled by attackers, converting data into bytes, and receiving binary data. These are all signs that there could be a second stage that is yet to come.
Security experts saw several functions that indicate there is a second stage of the attack. There is enough evidence to suggest that this was just a way to get a feel for targets, and more is on the way in the future.
It would appear that the authors of the EVILNUM malware are using it as a first-stage payload that would allow them to collect data regarding the host and plant more malware on the infected computer. Make sure not to become a victim to the EVILNUM malware by protecting your PC with a reputable anti-spyware solution.