EvilNum is a backdoor malware that can be used to steal data or load extra payloads with a number of intriguing components to avoid detection and alter infection paths based on well-known antivirus software. TA4563 is a threat actor that uses EvilNum malware, particularly in operations that support foreign exchange, cryptocurrency, and the Decentralized Finance (DeFi) industry. The most recent activities use updated TTPs and send victims spear-phishing emails with Microsoft Word, ISO, and Windows Shortcut (LNK) files as email attachments.
The malicious document is sent to the victim through a spear phishing email. As the victim opens the downloaded document, two macros are fetched from the attackers-hosted domain, displaying decoy content. The first one is used to execute PowerShell scripts and decrypt PNG files and further restart the attack chain. Another macro is used to load the C# code and send screenshots to the C2 server.
As the malware tries to call multiple executables on the host machine, the applications on the victim machine execute depending on the type of anti-virus that is found to avoid being detected by them. Two encrypted blobs are present in the second payload that is decrypted into an executable file(hpfde.exe) and a TMP file(devXYXY5.tmp) which loads a shellcode and a decompressed PE file. This acquired backdoor can be further used for reconnaissance, data theft, and payload deployment.
The actor aims to gain information on both target companies and their customers' financial information. The group is capable of securing information from spreadsheets and documents, the institutions' software licensed and trading credentials, browser cookies, and session information, along with email credentials and credit card information. Additionally, in recent cases, through the payload, the group has also gained access to the VPN configuration of the institutions’ networks.
Malware is still being actively developed, and a persistent adversary will keep changing its tactics to compromise systems. It is recommended to train employees to identify and report suspicious emails. The targeted organization should make sure that the use of container files such as ISO and LNK is restricted and that the RTF files are blocked from being downloaded or accessed from Word.