Skip to content

ESET Research dissects Evilnum Group as its malware targets online trading

BRATISLAVA, MONTREAL – ESET researchers are releasing their in-depth analysis into the operations of Evilnum, the APT group behind the Evilnum malware. According to ESET’s telemetry, the targets are financial technology companies – for example, platforms and tools for online trading. Although most of the targets are located in EU countries and the UK, ESET has also seen attacks in countries such as Australia and Canada. The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.

“While this malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates,” says Matias Porolli, the ESET researcher leading the investigation into Evilnum. “Its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service provider whose infamous customers include FIN6 and Cobalt Group,” he adds.

Evilnum steals sensitive information, including customer credit card information and proof of address/identity documents; spreadsheets and documents with customer lists, investments and trading operations; software licenses and credentials for trading software/platforms; email credentials; and other data. The group has also gained access to IT-related information, such as VPN configurations.

“Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several shortcut files that extract and execute a malicious component, while displaying a decoy document,” elaborates Porolli. These decoy documents seem genuine, and they are continuously and actively collected in the group’s current operations as they try to compromise new  victims. It targets technical support representatives and account managers, who regularly receive identity documents or credit cards from their customers.

As with many malicious codes, commands can be sent to Evilnum malware. Among those are commands to collect and send Google Chrome saved passwords; take screenshots; stop the malware and remove persistence; and collect and send Google Chrome cookies to a command and control server.

“Evilnum leverages large infrastructure for its operations, with several different servers for different types of communication,” concludes Porolli.

For more technical details about the Evilnum malware and the APT group, read the full blog post “More evil: a deep look at Evilnum and its toolset” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.