Evilnum group targets FinTech firms with new Python-based RAT

Evilnum, a group known for targeting financial technology companies, has added new malware and infection tricks to its arsenal, researchers warn. The group is suspected of offering APT-style hacker-for-hire services to other entities, a growing and worrying trend that’s changing the threat landscape.

Evilnum appeared on the radar of security companies in 2018 when it started targeting FinTech companies throughout Europe with spear-phishing emails that try to pass malicious files as scans of credit cards, utility bills, ID cards, drivers licenses and other identity verification documents required by know-your-customer (KYC) regulations in the financial sector.

The emails included links to ZIP archives hosted on Google Drive that contained specially crafted Windows shortcut files (LNK) posing as JPG images. The LNK files had malicious JavaScript code attached to them which, if executed, started an infection chain resulting in the deployment of a JavaScript-based Trojan.

Researchers from security firm Cybereason have recently observed some changes in Evilnum’s techniques. Instead of multiple LNK files masquerading as pictures, the group’s ZIP archives now contain a single LNK file that poses as a PDF document with scans of the required KYC documents. This LNK file also has JavaScript attached to it, but the code only serves as a dropper and instead of a full-blown JavaScript-based Trojan, and it deploys a new malware program written in Python.

How the PyVil RAT works

The new Python malware, dubbed PyVil RAT by Cybereason, provides hackers with several capabilities including:

• Keylogging
• Executing commands
• Taking screenshots
• Downloading additional Python-based scripts that act as modules
• Downloading and uploading executables
• Opening SSH shells
• Collecting information about the system and installed programs such as antivirus, Google Chrome version or the connected USB devices

Malware written in Python is not a new development but is not common. Python is a scripting language that’s popular with security professionals and hackers alike on Linux systems, but it does not execute natively on Windows and needs a separate runtime environment, similar to Java. Python programs can be compiled directly into Windows executables that are self-contained, but because they have to include all the libraries usually provided by the runtime, their size ends up being quite large and this is something that’s not appealing to malware authors.

Previous Evilnum attacks used a registry Run key to achieve persistence, but the new infection chain achieves this with a Windows Scheduled Task called the “Dolby Selector Task”. Dolby is the name for audio compression technology that’s incorporated in various audio drivers. The attackers hijack the name to make the scheduled task appear as if it was created by a legitimate system driver or component. Similarly, the attackers use a Trojanized version of the legitimate Java Web Start Launcher program to execute malicious code, which then downloads the PyVil RAT. This file manipulation breaks the original file’s digital signature by Oracle, but people are used to executing non-digitally signed files on Windows.

The infection chain also adds a rogue scheduled task called “Adobe Update Task”, which executes yet another malicious downloader that poses as Adobe’s Flash Player and is called Fplayer.exe. This file is a maliciously modified version of Nvidia’s Stereoscopic 3D driver Installer. It seems that the Evilnum attackers have gone to great lengths to maintain persistence and stealth by impersonating a variety of legitimate programs that administrators might not find suspicious on a Windows system.

The PyVil RAT talks to the command-and-control (C&C) server using HTTP but the data inside is encrypted with a hard-coded key to hide it from network-level Web traffic inspection products. In the past, Evilnum configured its malware to only talk to command-and-control servers using IP addresses, not domain names. However, Cybereason has detected a growing number of domains being associated with the IP addresses used by the Evilnum C&C infrastructure during the past weeks, signaling a change in tactics as well as a growing infrastructure.

The researchers also observed PyVil RAT downloading a custom version of an open-source password dumping tool called LaZagne, a post-exploitation tool that’s written in Python and is popular with penetration testers. Its code can be loaded directly into memory without touching the disk and can be used to extract passwords from many applications including browsers, chat programs, games, databases, sysadmin tools and more.

Evilnum attack patterns

Evilnum displays various attack patterns that are associated with APT groups:

• Careful victim selection
• Highly targeted and customized attack vector
• Focus on stealth and persistence mechanisms
• The use of dual-use open-source tools that make detection and attribution harder
• The use of scripting languages for malware instead of compiled C code
• Hands-on hacking through shell commands
• Fileless execution

“The Evilnum group employed different types of tools along its career, including JavaScript and C# Trojans, malware bought from the malware-as-a-service Golden Chickens, and other existing Python tools,” the Cybereason researchers said. “With all these different changes, the primary method of gaining initial access to their FinTech targets stayed the same: using fake know your customer (KYC) documents to trick employees of the finance industry to trigger the malware.” 

In a recent report, researchers from Kaspersky Lab analyzed a hacker-for-hire group they dubbed DeathStalker that was seen targeting law offices, wealth consultancy firms and financial technology companies from several countries and continents. Even though DeathStalker’s primary implant called Powersing is written in PowerShell, the Kaspersky researchers observed an overlap of techniques and even code similarities between DeathStalker’s toolset and threats like Janicab and Evilnum.

“While none of these points on their own are sufficient in our eyes to draw a conclusion, we feel that together they allow us to assess with medium confidence that Powersing, Evilnum and Janicab are operated by the same group,” the Kaspersky researchers said. “Additional data shared with us by industry partners that we can’t disclose at the moment also supports this conclusion.”

Some of the similarities might also be due to Evilnum using the same malware-as-a-service providers used by other attackers, particularly one tracked by the industry under the name Golden Chickens.

The commoditization of APT techniques and tools over the past years has allowed cybercriminal groups to become more sophisticated and harder to detect and this includes both financially motivated groups — Carbanak, Cobalt or FIN7 are good examples — as well as ransomware gangs like Ryuk. Cyberespionage is no longer the domain of nation-state actors and is now also performed by mercenary hacker groups for private entities. This puts many companies and organizations, especially small and medium-sized ones, under increased pressure to defend against sophisticated threats they might not be able to handle.