The Evilnum malware , which was detected in the wild in 2018 has been involved in a wide range of attacks against Fintech (Financial Technology) companies mostly located in the EU countries and the UK .The malware is linked with the advanced persistent threat (APT) group known as Evilnum. The malware is not just focusing on stealing sensitive credentials but the financial information of these companies and their customers as well.Recently the team at ESET made a blog post about this APT group and their malware’s history. In this post we will have an analysis of their research and conduct our own analysis of this malware variant.
Delivering of the malware
The malware widely targets customer support representatives and account managers who receive such documents on a daily basis making the execution of malware more likely.
Some of these C&C servers used in delivering of payloads are:
176.107.176[.]237 185.20.186[.]75 http://176.107.176[.]237/secupdate202222.msi http://176.107.176[.]237/67364732647836478231.msi http://45.9.239[.]50/secupdate2021.msi
In 2019, Palo Alto Networks described a malware with very similar functionality to the JS component used in Evilnum, but coded in C#. That version obtained the address of its C&C by dividing a number by 666, and was therefore named Evilnum by Palo Alto Networks researchers.That explains the use of 666 in the title of this blog.
Analysis of a random Evilnum malware sample
The SHA256 hash for this sample is: 7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6
The first thing i prefer to do when it comes to analyzing the samples is to pass the sample file through exiftool so as to check for any valuable entries.Let’s pass this file through exiftool and see if we can find anything.The command to do this is:
So after passing the file through exiftool we find out something very interesting which can help us prove that yes it belongs to the Evilnum malware. In the above image you can see an entry called command line arguments, read it carefully and you will understand that it actually tries to show a Proof of address PDF file which could contain the proof of address of the customer . The employee of the Fintech company might consider it as just another customer related document but there’s something unusual here.There is a JS file which is associated with that document and we know that JS execution is the initial stage of this malware’s execution.
The second step we will do to study this malware is to find out what is present inside the file and for this we will use the strings command, in some cases when we need to find the contents of a file before executing it we can use strings command as its much safer and can show you some good amount of information present in the file.The command to extract the strings will be:
After checking the strings present in the file i was totally surprised to see some very interesting finds and the presence of JS code inside the file also confirmed that it belonged to the Evilnum malware.Some of the interesting findings are:
1. Checks for Antivirus software present in the system
The malware tries to find any antivirus software present inside the target’s system during its execution, here’s a small code snippet which called this function:
av = get_system_av();//TRU4
if (av.indexOf(“Bitdefender”) != -1)//TRU4
So we can confirm here that the malware tries to find the Bitdefender software in the target’s system.
2. Fetches the content from a Gitlab repository
The malware seems to fetch some python file from a gitlab repository and save it to the system.The repository belonged to a user called jhondeer123 the repository is now deleted and the user is blocked.
3. The Command and Control server’s IP isn’t directly stored in the code
The C&C server’s IP isn’t stored directly in the code but there’s some code present in the malware which needs to process the number 8346758545 in order to get the final IP address. This number is interesting because it was used in some other malware samples as well.
4.Presence of a Digitalpoint account
I found a digitalpoint account link in the malware’s code with the similar name (johndeer123) and remember this name was also present in the gitlab repo link.
5. High possibility of it belonging to Russia
I went through the digitalpoint account and came across the account information page which had an interesting entry in the interests.
It was: 8346758545http://188.8.131.528346758545
The IP address present here was http://184.108.40.206/ , even though this IP is not connected to any server anymore we can still find some good amount of info here.
I decided to run a geolocation search on this IP address and here were the results:
“state_prov”: Northwestern Federal District
“isp”: Dotsi, Unipessoal Lda.
“organization”: Dotsi, Unipessoal Lda.
“name”: Russian Ruble
“current_time”: 2020-07-12 16:05:18.699+0300
These results clearly indicated that the IP address belonged to some russian organization, but well there’s more to this.After checking the Wayback Machine it was confirmed that yes some russian websites did existed on the IP and it was probably a web hosting server .
Hybrid Analysis of the malware sample
Results of Hybrid-Analysis:
Here the platform confirms that the file was indeed malicious and had a Proof Of Address PDF shortcut file.Even though the file didn’t create any windows the execution mostly happened through CMD.exe through command line arguments.We confirmed this with Any Run.
As we can see the file is using the command line arguments for the execution and delivery of malware from the JS components. The shortcut file gets shifted and there’s something very interesting in the process number 3128.It’s searching for something and it’s TRU4 the same thing which was mentioned in the comments of our malware.This helps us to confirm that the malware is indeed executing through Command Line arguments without creating any sort of noise.
Even though the malware was detected back in 2018, it’s still in use and has damaged many Fintech companies across the EU countries and the UK.The APT group has a high possibility of belonging to Russia and has created a variety of versions of this malware.The shortcut files used to deliver this malware had customer related information like passport, driving license or proof of address like in this case.
It is advised that the people employed in the customer support related work should open such documents carefully and avoid opening shortcut files like in this case.
SECARMY will continue its research on this malware and its APT group and will present more blog posts on this topic in the near future.If you have any doubts related to this article feel free to contact me on my twitter handle https://twitter.com/0x9747/ .