Zscaler, creator of the Zero Trust Exchange platform, is keeping close watch on a new advanced persistent threat (APT) actor known as Evilnum.
Since the start of 2022, Zscaler’s ThreatLabz research team identified several instances of Evilnum’s low-volume targeted attack campaigns launched against its customers in the UK and Europe.
Microsoft Office the Preferred Target
Evilnum targeted Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as attachments in spear phishing emails during earlier campaigns observed in 2021, Zscaler reports. Now, the threat actor is infecting MS Office documents by way of document template injection to deliver its malicious payload to victims’ machines.
ThreatLabz has identified several domains associated with Evilnum, having flown under the radar and staying undetected for an extended period, according to Zscaler.
What We Know About the Evilnum APT
- Key targets are predominantly in the financial services sector, specifically companies dealing with trading and compliance in the UK and Europe.
- March 2022 saw a significant increase in the choice of targets, including an intergovernmental organization that manages international migration services.
- Cyberattacks and the type of target coincided with Russia-Ukraine conflict.
- Macro-based documents were subject to a VBA code stomping technique to bypass static analysis and deter reverse engineering.
- A heavily concealed JavaScript was used to decrypt and drop the payloads on the endpoint.
- The names of all the file system artifacts created during execution tricked legitimate Windows and other third party binaries' names.
- In each new instance of the campaign, Evilnum registered multiple domain names using specific keywords related to the industry vertical targeted.