Back to Blog

Evilnum Hackers Change Tactics for Targeting Fintech Firms

September 9, 2020

By: mirabiliscorp

Evilnum, a hacking group that targets fintech firms mainly in the U.K. and Europe, is deploying a new remote access Trojan, according to Cybereason.

See Also: Account Takeover Fraud: How to Protect Your Customers and Business

Evilnum is expanding its campaigns to other countries, including Canada and Australia, security firm ESET reported earlier (see: APT Group Targets Fintech Companies). The hacking group, which security researchers first discovered in 2018, is known for using spear-phishing emails and social engineering techniques.

In its latest campaign, Evilnum is deploying a new remote access Trojan that Cybereason researchers call PyVil. It’s written in the Python programming language and has capabilities that include keylogging, taking screenshots of infected devices and exfiltrating data. The Trojan can also deploy other malicious tools, such as the LaZagne malware, to steal credentials, Cybereason says.

“The campaign is active as we still see samples of the malware pop up and we see that the threat actors infrastructure is still active,” Tom Fakterman, a threat researcher at Cybereason, tells Information Security Media Group. “Evilnum has successfully maintained a low profile with highly targeted attacks against select fintech targets and has been conservative about infrastructure reuse, so there is not enough evidence to determine the potential number of victims or how successful their operations may be.”

Infection Tactics

Evilnum is targeting “know your customer” procedures at many fintech firms as a way to gain initial access to devices and networks, Cybereason reports. Financial institutions use these procedures to verify customer information to help prevent illegal activity, such as money laundering.

In the latest campaign, the Evilnum hackers are sending spear-phishing emails to employees at fintech firms who are overseeing the KYC procedures, according to the Cybereason research report.

Fake documents used as part of spear-phishing campaign (Source: Cybereason)

The emails contain zip archives for LNK files – a type of shortcut used in Windows – that appear to contain the documents needed to verify someone’s identity, Fakterman says.

When the target at a fintech firm opens a LNK file, malicious JavaScript is downloaded onto the compromised device, which then installs the PyVil remote access Trojan, according to Cybereason.

The Trojan then performs various tasks, including keylogging and capturing screenshots, and it collects details, such as what anti-virus products are installed on the device, whether there are any USB devices present and what version of Chrome the victim is using, the researchers discovered.

The RAT can also run commands within an infected device and create an SSH shell that establishes a link with the command-and-control server to steal corporate data.

In previous attacks, Evilnum relied on other malware written in either JavaScript or C# to infect devices and gain persistence throughout the network. Now, it relies on the PyVil Trojan instead.

Fakterman notes that Evilnum is attempting to switch its tactics to avoid detection and keep one step ahead of new security procedures.

“The threat actors have many new tricks up their sleeves as the PyVil RAT is brand new,” Fakterman says. “Additional tricks include a deviation from the infection chain, persistence and infrastructure. Tools observed include modified versions of legitimate executables deployed in an attempt to remain undetected by security tools.”

Source: BankInfoSecurity

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

Follow us


Contact Us
First Name*
Last Name*
Mobile Number*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
I agree to the Privacy Policy and Terms of Service.