Security researchers at ESET have published a report detailing activities of the Evilnum APT, a group behind the eponymous malware, which has been targeting fintech companies since at least 2018. Over the years, the group’s toolset and infrastructure have evolved and now include custom malware as well as tools bought from a malware-as-a-service (MaaS) provider called Golden Chickens, which also counts FIN6 and Cobalt Group among its customers.

According to the team, Evilnum targets financial technology companies that offer trading and investment platforms. While most of the victims are located in EU countries and the UK, ESET observed attacks against companies in Australia and Canada.

The Evilnum group is focused on obtaining financial information both from target firms and their customers. The group steals various types of data such as:

• Spreadsheets and documents with customer lists, investments and trading operations

• Internal presentations

• Software licenses and credentials for trading software/platforms

• Cookies and session information from browsers

• Email credentials

• Customer credit card information and proof of address/identity documents

Hackers attempt to compromise a target company via spear phishing emails that include a link to a ZIP file hosted on Google Drive. The archive contains several shortcut files masqueraded as benign documents or pictures that extract and execute a malicious JavaScript component while displaying a decoy document. The decoy documents are mostly photos of credit cards, identity documents, or bills with proof of address.

The role of the JavaScript component (also referred to as Evilnum) is also to deploy other malware like the Evilnum spying module, malware from the Golden Chickens MaaS, and multiple Python-based tools.

Each component works independently and has its own command and control server, which receive commands when the need arises to install additional components and use post-compromise scripts and tools.

“Most servers used by the malware are referenced by IP addresses; domain names have not been used. The only exceptions are the C&C servers used by the Golden Chickens components,” according to the report.

“Those referenced by an IP address can be split into two groups, based on the hosting provider. The majority of them are hosted with FreeHost, a Ukrainian provider. The rest are hosted in the Netherlands, with Dotsi.”

As for the tools purchased from the Golden Chickens MaaS service, they include ActiveX components (OCX files) containing TerraLoader, a dropper for other malware made available to Golden Chickens customers, such as the More_eggs backdoor, a Meterpreter payload called TerraPreter, the TerraStealer information stealer also known as SONE or StealerOne VenomLNK, TerraTV, a custom DLL designed to hijack legit TeamViewer applications.

‘We believe that FIN6, Cobalt Group, and Evilnum group are not the same, despite the overlaps in their toolsets. They just happen to share the same MaaS provider,” ESET noted.