SOC Incident Toolkit
Back to Campaigns
 Hack For Hire Group Targets Legal, Finance and Travel Institutions

Hack For Hire Group Targets Legal, Finance and Travel Institutions

JannicabDeathstalkerHackforHirePowersingEvilnumRebsecVoid Balaur

Unlike malware-as-a-service (MAAS), hacking-for-hire companies carry out sophisticated, hands-on attacks and exploit vulnerabilities in executing their campaigns, according to a report by researchers Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.

Indicators of Compromise

Domains (393)

process.namemizuhogroup.usvote.anobaka.infocareers.mizuhogroup.usofferings.cloudangelbridge.capitalabf-cap.cobankofamerica.nyctptf.uswww.abf-cap.comdocs.azure-protection.cloudbeyondnextventures.coanobaka.jpsmbcgroup.ustptf.cotptf.ltdmufg.tokyokvaladrigrosdrom.topit.zvc.capitalkerymarynicegross.top+373 more

Hashes (2813)

5f4f006bfb9136c304e0aabf75575360120d022567180ce6b9c1835e209c541e61a227bf4c5c1514f5cbd2f37d98ef5bda9f0e7dc6c52044fa29bea5337b4792b8b873373ba99ad816d5c9f5f275f03f46e6816ab170cd2d081230df6f3c6f12305f0e60bd84ced931f9bd9bde1caa1c51c97ebe601ef079b16bcd87af827b0be5283d967cf53577520861a1833ae99489c307f98da01b4b71627bf5d3fa0c09e0631b2172ee0c6499168ed9dd399ae46303343f9f0da189aee11c67bd868222d3503e87df528ce3b07ca6d94d1ba9fc5249c568fb2746786504b049bbd5d9c8d8f6290517c114e73e03ab30165098f6089eec7cc454066c2b6720e2b0c9971ba9b91aa097713132e4ea03422d3915bab1c4207420279d99ee402186d1e3a16d6ab9398a3966cb4e8d6f111dd98fb07158547d0080a9b9cba698c73b42c2499cdbb704166e9e30c699c7111089fe364ce47f1dc05c8bc703087407551649376d90d1743bac75aac8ef3179d498793bf4234f708d3be286330b4340ed812dc82ce636c00fa5c9bef2f14c5bad5219b1ed5166eb02f5ff08a890a181cef2af565f3fe7bcea9c870e22+2793 more

IPv4 (85)

104.168.174.80104.168.249.50155.138.159.45152.89.247.87149.28.247.34172.86.121.130185.236.231.74185.161.209.117185.62.189.210185.161.209.2894.103.81.4745.67.228.15266.206.18.186185.161.209.8745.156.24.97209.99.40.22280.87.192.24987.120.37.68185.161.208.205.206.227.81+65 more

CVEs (3)

CVE-2022-41040CVE-2022-41082CVE-2022-41352

Notes

<div><b>Conclusion</b></div><div>The group has continued to update its malware toolset to maintain stealth over extended periods of time. DeathStalker harvests sensitive business information from its victims, indicating it is either offering hacking-for-hire services or acting as some sort of information broker in financial circles. Affected industries are suggested to proactively prepare for such intrusions and update their strategies to prevent cyberattacks</div>

Mitigation

<div><b>Evilnum</b></div><div>Evilnum is a financially motivated threat group that has been active since at least 2018.[1]</div><div><br></div><div><b>Techniques Used</b><br></div><div><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1079.4px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Domain</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">ID</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Name</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Use</span></font></th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1548</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; background-color: transparent;">Abuse Elevation Control Mechanism</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; background-color: transparent;">Bypass User Account Control</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has used PowerShell to bypass UAC.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1059</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.007</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; background-color: transparent;">JavaScript</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has used malicious JavaScript files on the victim's machine.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1555</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">Credentials from Password Stores</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;can collect email credentials from victims.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1574</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574/001" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; background-color: transparent;">Hijack Execution Flow</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1574/001" style="box-sizing: border-box; background-color: transparent;">DLL Search Order Hijacking</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1070</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.004</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; background-color: transparent;">Indicator Removal</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; background-color: transparent;">File Deletion</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has deleted files used during infection.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1105</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">Ingress Tool Transfer</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;can deploy additional components or tools as needed.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1566</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent;">Phishing</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; background-color: transparent;">Spearphishing Link</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has sent spearphishing emails containing a link to a zip file hosted on Google Drive.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1219" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1219</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1219" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">Remote Access Software</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/software/S0568" style="box-sizing: border-box; background-color: transparent;">EVILNUM</a>&nbsp;has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1539" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1539</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1539" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">Steal Web Session Cookie</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;can steal cookies and session information from browsers.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1204</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent;">User Execution</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; background-color: transparent;">Malicious Link</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223); border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626"><span style="font-size: 14px;">Enterprise</span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">T1497</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; background-color: transparent; font-size: 14px;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; background-color: transparent;">Virtualization/Sandbox Evasion</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; background-color: transparent;">System Checks</a></span></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><span style="font-size: 14px;"><a href="https://attack.mitre.org/groups/G0120" style="box-sizing: border-box; background-color: transparent;">Evilnum</a>&nbsp;has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments.&nbsp;<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></span></font></p></td></tr></tbody></table><b>Software</b><br></div><div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1079.4px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">References</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Techniques</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0568</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">EVILNUM</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1539" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal Web Session Cookie</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Regsvr32</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1102/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">One-Way Communication</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0349</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LaZagne</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1555/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keychain</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1555/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Credential Manager</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1003/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">/etc/passwd and /etc/shadow</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1003/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cached Domain Credentials</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1003/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proc Filesystem</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials In Files</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0284" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0284</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0284" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">More_eggs</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Regsvr32</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>:&nbsp;<a href="https://attack.mitre.org/techniques/T1016/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internet Connection Discovery</a>,&nbsp;<a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td></tr></tbody></table></div>