Evilnum is the name of an Advanced Persistent Threat group or APT for short. Security experts first spotted the group in 2018. For its relatively short existence, Evilnum has been involved in a number of attacks. While the tools used by the cybercriminals have changed over time, the targets have remained consistent. Evilnum has been and continues to go after financial technology (fintech) companies. Evilnum’s activities have been focused on companies in the EU and UK although there are cases of targets located in Canada and Australia. One of the most recent additions to Evilnum’s arsenal is a remote access trojan written in Python that the researchers called PyVil RAT.
In recent attacks Evilnum don’t deviate from their MO. They still favor precisely targeted spear phishing attacks over wider more generic phishing campaigns. In previous attacks the cybercriminals would archive four different .lnk files using zip. Those files would later be replaced by a .jpg file. With PyVil RAT Evilnum chose to archive just one .lnk posing as a .pdf containing various documents like credit card photos, bills, or ID photos.
The PyVil RAT has many functions to accommodate the needs of the cybercriminals. Some of its most notable features include:
- Running cmd commands
- Taking screenshots
- Downloading additional Python modules
- Dropping and uploading executable files
- Starting an SSH shell
- System data Collection
PyVil RAT is modular. The RAT contains a configuration module that can provide the current version of PyVil RAT as well as domains for the C&C servers and software agents for C&C communication. The C&C communication goes through POST HTTP requests. Evilnum use an RC4 stream cipher with a hardcoded key encoded with base64 for C&C communication encryption. The modular functionality is enabled through a custom version of the LaZagne Project that PyVil can receive from the C&C server.
The PyVil RAT is just one of the new tools employed by Evilnum. Similarly to many other APT groups, like APT29 for example, Evilnum are constantly working on new techniques and tactics. This allows this type of cybercriminals to pose a significant threat to cybersecurity at any level.