Evilnum is an advanced APT group that has been operating since 2018. However, two years after it first began using them, its tools and methods were discovered. Experts at Zscaler kept an eye on the threat actor’s activities and observed that the gang had increased its arsenal. The group started targeting an international organization involved with international migration.
Technical Details
The campaign makes use of documents with macros that have various filenames and contain the term “compliance”. There were found to be at least nine of these documents. To evade being detected by the security software, the attachment uses VBA code stomping and template insertion. In each instance, Evilnum used specific keywords connected with the industry vertical to register domain names.
- The compromised system’s loaded backdoor executes the following activities once it is stimulated:
- Decrypts the backdoor configuration (C2 domains, User-Agent strings, network paths, referrer strings, cookies type strings).
- Resolves API addresses from the libraries retrieved from the configuration
- Performs a mutex check
- Builds data exfiltration string to be sent as part of the beacon request
- Encrypt and encode the generated string with Base64
- Embed the encoded string inside the cookie header field by selecting one of the cookie-type strings from the configuration.
Once performing the process that defines, the backdoor chooses a C&C domain, a route string, and sends out a beacon request. Even so, the C&C might reply with a new encrypted payload. Additionally, the backdoor has the ability to capture screenshots and submit them via POST requests to the C2 server. As a result, data exfiltration occurs in an encrypted format.
Indicators of Compromise(IoCs)
C2 Domains:
- travinfor[.]com
- webinfors[.]com
- khnga[.]com
- netwebsoc[.]com
- infcloudnet[.]com
- bgamifieder[.]com
- bunflun[.]com
- refinance-ltd[.]com
- book-advp[.]com
- mailservice-ns[.]com
- advertbart[.]com
- inetp-service[.]com
- yomangaw[.]com
- covdd[.]org
- visitaustriaislands[.]com
- traveladvnow[.]com
- tripadvit[.]com
- moreofestonia[.]com
- moretraveladv[.]com
- estoniaforall[.]com
- bookingitnow[.]org
- travelbooknow[.]org
- bookaustriavisit[.]com
- windnetap[.]com
- roblexmeet[.]com
- netrcmapi[.]com
- meetomoves[.]com
- bingapianalytics[.]com
- azuredcloud[.]com
- appdllsvc[.]com
- udporm[.]com
- pcamanalytics[.]com
- nortonalytics[.]com
- deltacldll[.]com
- mscloudin[.]com
- msdllopt[.]com
Conclusion
Use of the IOCs mentioned in the report is recommended since Evilnum is an active threat. Even though the origins of this threat actor are still unknown, its victimology suggests that states are supporting cyberespionage campaigns.
Comments