Evilnum is an advanced APT group that has been operating since 2018. However, two years after it first began using them, its tools and methods were discovered. Experts at Zscaler kept an eye on the threat actor’s activities and observed that the gang had increased its arsenal. The group started targeting an international organization involved with international migration.

Technical Details

The campaign makes use of documents with macros that have various filenames and contain the term “compliance”. There were found to be at least nine of these documents. To evade being detected by the security software, the attachment uses VBA code stomping and template insertion. In each instance, Evilnum used specific keywords connected with the industry vertical to register domain names.

  1. The compromised system’s loaded backdoor executes the following activities once it is stimulated:
  2. Decrypts the backdoor configuration (C2 domains, User-Agent strings, network paths, referrer strings, cookies type strings).
  3. Resolves API addresses from the libraries retrieved from the configuration
  4. Performs a mutex check
  5. Builds data exfiltration string to be sent as part of the beacon request
  6. Encrypt and encode the generated string with Base64
  7. Embed the encoded string inside the cookie header field by selecting one of the cookie-type strings from the configuration.

Once performing the process that defines, the backdoor chooses a C&C domain, a route string, and sends out a beacon request. Even so, the C&C might reply with a new encrypted payload. Additionally, the backdoor has the ability to capture screenshots and submit them via POST requests to the C2 server. As a result, data exfiltration occurs in an encrypted format.

Indicators of Compromise(IoCs)

C2 Domains:

  1. travinfor[.]com
  2. webinfors[.]com
  3. khnga[.]com
  4. netwebsoc[.]com
  5. infcloudnet[.]com
  6. bgamifieder[.]com
  7. bunflun[.]com
  8. refinance-ltd[.]com
  9. book-advp[.]com
  10. mailservice-ns[.]com
  11. advertbart[.]com
  12. inetp-service[.]com
  13. yomangaw[.]com
  14. covdd[.]org
  15. visitaustriaislands[.]com
  16. traveladvnow[.]com
  17. tripadvit[.]com
  18. moreofestonia[.]com
  19. moretraveladv[.]com
  20. estoniaforall[.]com
  21. bookingitnow[.]org
  22. travelbooknow[.]org
  23. bookaustriavisit[.]com
  24. windnetap[.]com
  25. roblexmeet[.]com
  26. netrcmapi[.]com
  27. meetomoves[.]com
  28. bingapianalytics[.]com
  29. azuredcloud[.]com
  30. appdllsvc[.]com
  31. udporm[.]com
  32. pcamanalytics[.]com
  33. nortonalytics[.]com
  34. deltacldll[.]com
  35. mscloudin[.]com
  36. msdllopt[.]com

Conclusion

Use of the IOCs mentioned in the report is recommended since Evilnum is an active threat. Even though the origins of this threat actor are still unknown, its victimology suggests that states are supporting cyberespionage campaigns.

Comments

Leave a Reply

Your email address will not be published.

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.