Evilnum

Evilnum is a financially motivated threat group active since at least 2018. It is also tracked as DeathStalker. Reporting in the provided content describes Evilnum as highly targeted, with a primary focus on FinTech companies in the UK and EU, and broader targeting of governments, law firms, financial firms, and cryptocurrency-related entities in the Americas, the UK, the EU, and the Middle East. The group abuses Know Your Customer (KYC) processes by using fake or stolen identity documents as phishing lures and seeks to steal sensitive business information, including passwords, documents, browser cookies, web session information, and email credentials. Evilnum has used spearphishing emails containing links to ZIP archives, including Google Drive-hosted ZIP files, and has used malicious shortcut links and LNK-based lures. Earlier campaigns used ZIP archives containing LNK files masquerading as identity and financial documents; opening them deployed a JavaScript trojan and then replaced the lure with a real image. Evilnum has used malicious JavaScript files on victim machines, and in newer activity JavaScript was used primarily as a first-stage dropper leading to downloader stages and ultimately the Python-based PyVil RAT. PyVil RAT supports keylogging, screenshot capture, command execution, SSH shell access, host reconnaissance, downloading additional Python scripts, dropping and uploading executables, and credential and cookie theft, including use of a custom Python version of LaZagne. The group has also been linked to the Python-based VileRAT malware family, which is described as unique to Evilnum and deployed in memory by VileLoader. VileRAT provides remote access, keystroke capture, command execution, and information harvesting, and recent reporting says it has been distributed via trojanized legitimate installers, including modified Nulloy installers. Evilnum has also used proprietary JavaScript and C# malware, as well as tools from the Golden Chickens malware-as-a-service ecosystem, including More_eggs, TerraPreter, TerraStealer, and TerraTV. TerraTV has been used to load a malicious DLL from the TeamViewer directory and to run a legitimate TeamViewer application for remote access to compromised machines. Additional behaviors directly mentioned in the content include use of PowerShell to bypass User Account Control, use of WMI to enumerate infected machines, deployment of additional tools as needed, sandbox or virtualization checks via TerraLoader, and deletion of files used during infection for cleanup or defense evasion. Kaspersky-linked campaign names in the content include Powersing, Janicab, and PowerPepper. The content also states that DarkCasino/WaterHydra split from Evilnum in late 2022, and that shared developer artifacts tie later WaterHydra/DarkCasino activity back to Evilnum as a predecessor group. Group-IB also attributed DarkMe activity to Evilnum in campaigns exploiting CVE-2023-38831 via crafted WinRAR archives distributed on trading forums and file-sharing services, leading to unauthorized access to broker accounts and fraudulent withdrawals.