
The New Target: Immigrations
Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.
Indicators of Compromise
Hashes (2760)
5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303608bd9d6d9a573fc35e0235c5cca0abfd82256b6b7d4a08c92e6fa7ef6017481b5aa26474a86c011e917cb865fedd0d1f444a4911b146bbbf9c0c8358e7a9ebd141a4ec3423bbcb3fdf4ad981eb0f338ff8a08b3a766bf56843856427337b1c7e51f3c12869b1872ef714115c2a3ce7517db5d1e1ca9805cc22ed04125ae836f1ad23c168e9ec314944d5e45c80ea689e4bb2241c12837efdfdb3f15fb5c487ed3bbbee4230dd6846e1407ef4ac6132e2f9180bf3b7181d27aa55a110fb776089240e434e5dee3c60110a04939e680efbe89105980bcd803f4550cac3a1e220f9000ada3f144d3849b005c6a7752c567098ad131abe111c718593058e4e9b43adf39bad2c23358fed39ac140cc0a1f3f148358d2d03d198ac0d220d834d2c5fd9142e46fbcc393cabb2ec3d2d3b016d096c2ef023febbd4e3773bbb3a59e54c388c1f712f00ab3bb533b2e9e3c778f50e2147204c1db4eb32cdf92cb2ed74d4e4e3c4dbc+2740 moreIPv4 (75)
45.9.239.50185.236.76.34185.161.209.11779.141.165.41185.161.209.97185.14.29.7245.133.217.148185.161.208.19484.38.185.103104.88.34.55139.28.39.165176.107.188.175193.42.114.73104.97.85.54193.56.28.201176.107.176.237185.236.76.3045.156.24.9745.87.3.177193.228.52.20+55 moreEmails (1)
APT Groups
Evilnum
Notes
<p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Active since 2018, the APT TA4563 (also known as Evilnum) is a group that has launched several low volume but targeted attack campaigns against victims in the UK and Europe. The group initially only targeted the financial sector but has now switched gears and is targeting immigration organizations.Its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.</span><span> </span><span>The key targets of the Evilnum APT group have predominantly been in the FinTech (Financial services) sector, specifically companies dealing with trading and compliance in the UK and Europe.</span><span> </span><span>The timeline of the attack and the nature of the chosen target coincided with Russia-Ukraine conflict.</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br><br>Evilnum was also observed targeting organizations related to cryptocurrency and DeFi, placing backdoors in their systems which allow the threat actors to steal valuable information or wait for opportunities to compromise financial platforms.<br></span></p><br><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span> </span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called "Compliance" but also "Complaint" or "Proof of ownership", among others.</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span> </span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br></span></p><p class="MsoNormal" style="margin: 0cm;"><font color="#000000"><span style="font-size: 16px;">You may be wondering why Evilnum would pivot to immigration. Multiple organizations that were set up after Russian troops invaded Ukraine, are assisting Ukrainian refugees. The lawyers that help to run the groups, don’t know much about cyber security but are still following strict regulations regarding client data by default. However, even though they’re performing security-centric tasks to keep data secure, they may not notice the crossover.</span></font><br></p><div><span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 12pt;"> </span><br></div><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>The new instances of the campaign use updated tactics, techniques, and procedures. In earlier campaigns observed in 2021, the main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br></span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br></span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br></span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><img alt=""><span><br></span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br></span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br></span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span><br>Evilnum’s primary goal was to spy on organizations and glean financial information from both the organization and their customers. Examples of the information the threat actor has been able to obtain includes:</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span> </span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Internal presentations</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Spreadsheets that include lists, trading operations, and investments</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Software licenses</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Credentials for trading software</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Email credentials</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>Addresses, credit card information, and identity documents for customers</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span>VPN configurations and othr IT related information</span></p><p class="MsoNormal" style="margin: 0cm; font-size: 12pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><span> </span></p>
Mitigation
<font><img alt=""></font><ul style="margin-bottom: 0cm; color: rgb(0, 0, 0); margin-top: 0cm;"><li class="MsoNormal" style="margin: 9pt 0cm; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><font>Ensure your website is HTTPs. Most sites I've seen in this realm use a combination of contact email and/or web form. You don't want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.</font></li><li class="MsoNormal" style="margin: 9pt 0cm; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><font>Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).</font></li><li class="MsoNormal" style="margin: 9pt 0cm; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><font>If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won't work with no signal reception, and fraudsters may divert your SMS codes via <a href="https://en.wikipedia.org/wiki/SIM_swap_scam" target="_blank"><span style="color: rgb(51, 122, 183);">SIM swapping</span></a>.</font></li><li class="MsoNormal" style="margin: 9pt 0cm; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;"><font>Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won't pre-fill your details into the bogus portal.<br><br><br></font></li></ul>