EVILNUM

Malware updated 4 months ago (2024-05-04T17:42:56.823Z)

Download STIX

Preview STIX

Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even hold data hostage for ransom. Initially, the Advanced Persistent Threat (APT) group DarkCasino used attack strategies similar to Evilnum, employing malicious shortcuts and image steganography to carry out phishing attacks. If a host system is running BitDefender, Evilnum will reach out to a different URL. A second version of Evilnum was discovered in 2019 during an unrelated incident response investigation, having successfully infiltrated a FinTech company. By 2021, Evilnum had evolved into a new variant that was particularly effective at evading both standard network- and host-based detection systems. This variant resurfaced within the financial sector, causing significant concern. During this period, the Water Hydra group emerged, initially mistaken for the Evilnum APT group due to similarities in their phishing techniques. However, by November 2023, after several successive campaigns, including one exploiting the well-known WinRAR code execution vulnerability CVE-2023-38831 to target stock traders, it became clear that Water Hydra was a distinct APT group from Evilnum. Despite this distinction, attributing specific attacks to either group proved challenging due to overlapping activity with other groups using more_eggs, namely FIN6, Cobalt Group, and Evilnum. The APT group DarkCasino, which initially borrowed attack strategies from Evilnum, gradually developed its own multi-level loading patterns based on several Visual Basic components after H2 2022, enabling larger-scale network attacks. Notably, the Russia-backed threat group Evilnum exploited a flaw discovered in the widely used software application WinRAR as a zero-day bug since April, using weaponized ZIP files to target cryptocurrency traders. As of the last report, there is potential for a new Evilnum campaign on the horizon.

Description last updated: 2024-05-04T17:22:56.238Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Phishing

WinRAR

Steganography

Vulnerability

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Darkcasino	Unspecified	2	DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private compani
Water Hydra	Unspecified	2	The Advanced Persistent Threat (APT) group known as Water Hydra, also referred to as DarkCasino, has been identified as a significant threat actor in the cybersecurity landscape. The group is notorious for its exploitation of CVE-2024-21412, a vulnerability that allows them to bypass Microsoft Defen
Cobalt Group	Unspecified	2	The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus o

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-38831	Unspecified	2	CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil

Source Document References

Information about the EVILNUM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	7 months ago	Water Hydra’s Zero-Day Attack Chain Targets Financial Traders
Trend Micro	7 months ago	CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
CERT-EU	9 months ago	Hiring? New scam campaign means ‘resume’ downloads may contain malware
Securityaffairs	10 months ago	DarkCasino joins the list of APT groups exploiting WinRAR 0day
CERT-EU	10 months ago	The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
DARKReading	a year ago	Patch Now: APTs Continue to Pummel WinRAR Bug
CERT-EU	a year ago	Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR
Securityaffairs	a year ago	Security Affairs newsletter Round 436 by Pierluigi Paganini
CERT-EU	a year ago	WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders
CERT-EU	a year ago	Traders Targeted by Cybercriminals in Attack Exploiting WinRAR Zero-Day
CERT-EU	a year ago	Threat Actor Exploits Zero-Day in WinRAR to Target Crypto Accounts
CERT-EU	a year ago	WinRAR zero-day exploited since April to hack trading accounts
CERT-EU	a year ago	WinRAR flaw lets hackers steal funds from broker accounts
MITRE	2 years ago	Phantom in the Command Shell - Prevailion
Quick Heal Technologies Ltd.	2 years ago	UAC Bypass Using CMSTP
DARKReading	2 years ago	Crypto Drainers Are Ready to Ransack Investor Wallets
CERT-EU	a year ago	В киберпространстве появилась новая угроза для финансовых организаций: кампания OCX#HARVESTER
CERT-EU	a year ago	Researchers identify second developer behind Golden Chickens MaaS