EVILNUM

Malware updated 7 months ago (2024-05-04T17:42:56.823Z)
Download STIX
Preview STIX
Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even hold data hostage for ransom. Initially, the Advanced Persistent Threat (APT) group DarkCasino used attack strategies similar to Evilnum, employing malicious shortcuts and image steganography to carry out phishing attacks. If a host system is running BitDefender, Evilnum will reach out to a different URL. A second version of Evilnum was discovered in 2019 during an unrelated incident response investigation, having successfully infiltrated a FinTech company. By 2021, Evilnum had evolved into a new variant that was particularly effective at evading both standard network- and host-based detection systems. This variant resurfaced within the financial sector, causing significant concern. During this period, the Water Hydra group emerged, initially mistaken for the Evilnum APT group due to similarities in their phishing techniques. However, by November 2023, after several successive campaigns, including one exploiting the well-known WinRAR code execution vulnerability CVE-2023-38831 to target stock traders, it became clear that Water Hydra was a distinct APT group from Evilnum. Despite this distinction, attributing specific attacks to either group proved challenging due to overlapping activity with other groups using more_eggs, namely FIN6, Cobalt Group, and Evilnum. The APT group DarkCasino, which initially borrowed attack strategies from Evilnum, gradually developed its own multi-level loading patterns based on several Visual Basic components after H2 2022, enabling larger-scale network attacks. Notably, the Russia-backed threat group Evilnum exploited a flaw discovered in the widely used software application WinRAR as a zero-day bug since April, using weaponized ZIP files to target cryptocurrency traders. As of the last report, there is potential for a new Evilnum campaign on the horizon.
Description last updated: 2024-05-04T17:22:56.238Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
WinRAR
Steganography
Vulnerability
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Darkcasino Threat Actor is associated with EVILNUM. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private companiUnspecified
2
The Water Hydra Threat Actor is associated with EVILNUM. Water Hydra, also known as DarkCasino, is a threat actor group that has been exploiting the Windows SmartScreen vulnerability CVE-2024-21412 since mid-January 2024. This group has demonstrated a sophisticated attack chain, using this zero-day exploit to bypass Microsoft Defender SmartScreen and infeUnspecified
2
The Cobalt Group Threat Actor is associated with EVILNUM. The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus oUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with EVILNUM. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
2
Source Document References
Information about the EVILNUM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
9 months ago
Trend Micro
9 months ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
Quick Heal Technologies Ltd.
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago