EVILNUM

Malware updated 5 months ago (2024-11-29T14:12:02.810Z)
Download STIX
Preview STIX
Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even hold data hostage for ransom. Initially, the Advanced Persistent Threat (APT) group DarkCasino used attack strategies similar to Evilnum, employing malicious shortcuts and image steganography to carry out phishing attacks. If a host system is running BitDefender, Evilnum will reach out to a different URL. A second version of Evilnum was discovered in 2019 during an unrelated incident response investigation, having successfully infiltrated a FinTech company. By 2021, Evilnum had evolved into a new variant that was particularly effective at evading both standard network- and host-based detection systems. This variant resurfaced within the financial sector, causing significant concern. During this period, the Water Hydra group emerged, initially mistaken for the Evilnum APT group due to similarities in their phishing techniques. However, by November 2023, after several successive campaigns, including one exploiting the well-known WinRAR code execution vulnerability CVE-2023-38831 to target stock traders, it became clear that Water Hydra was a distinct APT group from Evilnum. Despite this distinction, attributing specific attacks to either group proved challenging due to overlapping activity with other groups using more_eggs, namely FIN6, Cobalt Group, and Evilnum. The APT group DarkCasino, which initially borrowed attack strategies from Evilnum, gradually developed its own multi-level loading patterns based on several Visual Basic components after H2 2022, enabling larger-scale network attacks. Notably, the Russia-backed threat group Evilnum exploited a flaw discovered in the widely used software application WinRAR as a zero-day bug since April, using weaponized ZIP files to target cryptocurrency traders. As of the last report, there is potential for a new Evilnum campaign on the horizon.
Description last updated: 2024-05-04T17:22:56.238Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Malware
WinRAR
Steganography
Vulnerability
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Golden Chickens Malware is associated with EVILNUM. Golden Chickens, also known as More_eggs, is a stealthy and capable malware suite primarily used by financially-motivated cybercrime groups such as the Cobalt Group and FIN6. The malware was initially discovered in 2018 and has been primarily targeting organizations in Southeast Asia, stealing sensiUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cobalt Group Threat Actor is associated with EVILNUM. The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus oUnspecified
3
The Darkcasino Threat Actor is associated with EVILNUM. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private companiUnspecified
2
The Water Hydra Threat Actor is associated with EVILNUM. Water Hydra, also known as DarkCasino, is a threat actor group that has been exploiting the Windows SmartScreen vulnerability CVE-2024-21412 since mid-January 2024. This group has demonstrated a sophisticated attack chain, using this zero-day exploit to bypass Microsoft Defender SmartScreen and infeUnspecified
2
The FIN6 Threat Actor is associated with EVILNUM. FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor group associated with significant cyber-attacks. The group initially gained notoriety for successfully stealing credit cards through point of sale (POS) systems in retail and hospitality establishments, notably cauUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with EVILNUM. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
2
Source Document References
Information about the EVILNUM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Recorded Future
11 days ago
InfoSecurity-magazine
a year ago
Trend Micro
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
Quick Heal Technologies Ltd.
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago