A Q&A with security researcher Matías Porolli, who has been keeping tabs on the latest activity of Evilnum, a cybercriminal group targeting financial technology (FinTech) companies
COVID-19 lockdowns have undoubtedly affected how people interact with their money. Cutbacks on the usual spending on holidays and travel, as well as trends in unemployment, have shifted money priorities and use. Some have been focusing on paying off debts, some are taking out mortgages at great interest rates and some have even gone back to stashing cash under the mattress. Others have turned to retail (stocks and options) trading, a scene that has become no stranger to flocks of newly minted amateurs flooding popular trading platforms and earning increasing clout against even veteran investors.
But what novice traders may not at first realize is how valuable a role their data and cash play in the profit game. Signing up to a trading platform means complying with Know Your Customer regulations and sharing your personal data. How secure is your data, and how lucrative is it if leaked or stolen?
Cybercriminal groups like Evilnum remain very active today, posing a serious threat to wealth, security and privacy. We sat down with ESET researcher Matías Porolli to shed further light on the matter.
Welcome, Matías! Before getting into your research on Evilnum, can you tell us a little bit about your most recent research endeavors?
Thank you for having me! I’m usually tracking malicious activities that affect Latin America. Recently, I published a story about Operation Spalax concerning malware attacks targeting Colombian government agencies, as well as private companies in that country. I’m also still tracking activities of the Evilnum group, as they’ve shown to be very active lately.
What first piqued your interest in the activities of the Evilnum group?
It all started when I was monitoring some feeds that we have in our lab, based on ESET’s telemetry data. Initially, I found a new version of one of their malicious components that was only detected by a few security vendors. This and the fact that the malware was seen only in less than 10 of our customers’ networks gave me the idea that this was a targeted attack and caught my attention.
After a deeper analysis of the malware, I noticed that some researchers had already written about it. However, not much had been said about the group itself or their targets. As I found more related components and tools used by this group, I was able to confirm that they only target FinTech companies and that they had a larger infrastructure than what was described before my report.
Why should FinTech companies be especially on the watch for this particular group?
FinTech companies should be on the watch because this group has been operating for years and is still active nowadays. This means that they have had enough success to sustain their operations. This group approaches their targets with spearphishing emails, in which they pretend to be potential customers of various FinTech platforms. They take advantage of the Know Your Customer regulations that require these companies to verify documents on a daily basis. It is important that FinTech companies are aware of these attacks, and thoroughly check that the documents they receive are really those requested and not shortcut files that execute malware.
Why do you think the Evilnum group, and its malicious contemporaries, see FinTech companies as a gold mine?
On the whole, FinTech companies deal with a large volume of investments and trading operations, so having access to this information is very profitable for these groups. Even if they don’t use the stolen information directly, in some cases these groups are either hired or they sell the information to third parties.
It’s also possible that their high success and their knowledge of the sector encourage them to keep operating in that sector, with specific targets.
Since your research was published in July 2020, Kaspersky researchers later posited some connections between Evilnum, Janicab and Powersing. What possible links to malware families such as these, or others, have you discovered?
Janicab and Powersing are malware families that target other sectors such as law firms. After our publication about Evilnum, Kaspersky researchers wrote about some similarities they found in how these three malware families work. They grouped these three campaigns, with medium confidence, into one single hacker-for-hire group that they named DeathStalker.
What I’ve seen in my research is that the Evilnum group has used tools from a Malware-as-a-Service (MaaS) provider known as Golden Chickens. This MaaS provider seems to be quite popular among criminals who target the financial sector, and other infamous groups such as FIN6 are their customers.
The group behind Evilnum malware seems to remain fairly active in developing new tools, updating their old ones, using publicly available tools and even renting tools. What does this diverse investment into tooling reveal about the group behind Evilnum?
It means that their criminal activities are profitable enough to invest part of their earnings into custom tools, new infrastructure (servers, domain names) and continuous updating of their older tools. This is not only true for the Evilnum group, but also for other groups that target FinTech companies.
In September 2020, researchers at Cybereason published a report about a new infection chain that was being used by the Evilnum group to ultimately drop a new Python RAT called PyVil. In 2021, we have seen attacks with new versions of PyVil, as well as new versions of their flagship JavaScript malware, which we described in July 2020.
What should security teams at FinTech companies do to detect and defend against a possible infiltration of Evilnum in their company’s network?
The first battle is to be aware of the risks and adversaries. It is important to be well informed. So my first recommendation is to subscribe to Threat Intelligence data feeds. These provide security operations center teams with actionable indicators to monitor. Also, I recommend consulting public sources of information. For example, you can follow our blog, WeLiveSecurity, and our Twitter handle, @ESETresearch for daily content and updates.
Of course, there are also cases where new threats surface, which is why it’s important to have good security solutions that can detect malicious behavior to block attacks proactively. Mature security teams can use endpoint detection and response solutions such as ESET Enterprise Inspector for early identification of threats and successful remediation.
Thank you, Matías!