Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management
APT Group Targets Fintech CompaniesReport: Little-Known Evilnum Group Relies on Spear-Phishing Emails
A little-known advanced persistent threat group dubbed Evilnum has been targeting fintech firms in the U.K. and Europe over the past two years, using spear-phishing emails and social engineering to start their attacks, according to the security firm ESET.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
In a report released Thursday, ESET researchers say the group recently expanded its targets beyond British and other European firms to companies in Canada and Australia. The report did not name any of the targeted companies.
"According to ESET's telemetry, the targets are financial technology companies - for example, companies that offer platforms and tools for online trading," the researchers note. "Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks."
The APT group is believed to use a malware strain that is also called Evilnum, but is sometimes referred to as CardinalRAT and CarpDownloader, according to ESET.
The spear-phishing emails the APT group uses attempt to infect devices with the Evilnum malware as well as other types of malicious code purchased or rented from other hacking groups.
The ESET report does not draw a conclusion as to where the Evilnum group is based. But it's likely the threat actors have had some success targeting fintech firms since their activities began in 2018, says Matias Porolli, an ESET threat researcher.
"Judging by the fact that the attacks are targeted and the potential victims are approached with specific - not mass-sent - emails, we believe the attackers were successful in their efforts," Porolli tells Information Security Media Group.
Evilnum's first step is sending out spear-phishing emails to technical support representatives and account managers within the target organization with financial document attachments as a lure, the researchers note.
"The documents used as decoys are mostly photos of credit cards, identity documents, or bills with proof of address, as many financial institutions require these documents from their customers when they join, according to regulations," the report notes.
The ESET researchers also point out that these documents appear to be genuine and may have been collected by the threat actors from various sources to add legitimacy to their attacks.
Once the targeted victim clicks on the LNK file to view one of the documents, the malware begins to load in the background and infect their device, according to the report.
Once the attackers successfully infect devices and a network, the malware steals sensitive corporate data, such as customer lists, credit card information and other personally identifiable data, along with the firm's investments and trading operations data, the ESET researchers report.
The attackers then use a number of additional Golden Chicken tools to perform anti-debugging techniques and identify anomalies in order to identify a sandbox. If one is spotted, this technique will prevent the code from executing to help prevent detection, the researchers add. These tools also help the attackers collect data from victims’ email applications and gain additional persistence, according to the report.
In the final stage of the attack, the group deploys a Python-based infrastructure to take additional screen shots, perform key-logging and collect data. The malware then snatches the device's Microsoft Office and Windows licenses and sends them to the command-and-control server.
Rise in APT Attacks
Since the start of the COVID-19 pandemic, APT groups have turned their attention to large enterprises, security experts note.
For example, an April report from security firm Malwarebytes found that APT groups with links to China, Russia and North Korea were using new tactics to target an increasing number of victims.
In May, U.S. and U.K. authorities warned that APT groups are using "password spraying campaigns" to target medical institutions, pharmaceutical companies, universities and others conducting COVID-19 research (see: Alert: APT Groups Targeting COVID-19 Researchers).