‘EvilNum’ malware targets European financial exchanges, crypto with backdoor attacks

Please fol­low and like us:
Pin Share

Cyber­crim­i­nals are tar­get­ing Euro­pean finan­cial firms with the “Evil­Num” mal­ware that cre­ates a back­door into their sys­tems, Proof­point researchers said. (Pho­to by Mar­co Bello/Getty Images)

As if cryp­tocur­ren­cy and decen­tral­ized finance (DeFi) play­ers did­n’t have enough to wor­ry about with the recent mar­ket crash, these com­pa­nies are again under assault from a new mal­ware that cre­ates a back­door to steal data, accord­ing to research from Proofpoint.

Threat actor dubbed TA4563 by researchers has been aim­ing its “Evil­Num” mal­ware at Euro­pean finan­cial and invest­ment firms that spe­cial­ize in for­eign cur­ren­cy exchange and com­modi­ties, cryp­tocur­ren­cy and DeFi, plac­ing a back­door in their sys­tems that allows cyber­crim­i­nals to steal their valu­able infor­ma­tion or lay in wait for more oppor­tu­ni­ties to com­pro­mise these finan­cial plat­forms. Indeed, the Evil­Num mal­ware “includes mul­ti­ple inter­est­ing com­po­nents to evade detec­tion and mod­i­fy infec­tion paths based on iden­ti­fied antivirus soft­ware,” accord­ing to the key find­ings pub­lished by Proof­point researchers.

The activ­i­ty described in the Evil­Num report includes low-vol­ume, tar­get­ed activ­i­ty, accord­ing to Sher­rod DeGrip­po, vice pres­i­dent for threat research and detec­tion for Proof­point. “Although the tar­get­ing includes orga­ni­za­tions relat­ed to DeFi, the mal­ware deployed is used for recon­nais­sance and data theft and is not spe­cif­ic to cryp­tocur­ren­cy theft,” said DeGrip­po dur­ing an interview.

Proof­point Threat Research has been track­ing the mal­ware group and its attacks on var­i­ous Euro­pean finan­cial and invest­ment firms with Evil­Num since late 2021. Late­ly, the threat group has been “exclu­sive­ly tar­get­ing” the DeFi indus­try in its cam­paigns, and has even over­lapped in its activ­i­ties with anoth­er black-hat group known as “Death­Stalk­er,” which has been around at least four years. In late June, Zscaler also pub­lished reports of Evil­Num attacks it had been fol­low­ing ear­li­er this year, which were aimed at finan­cial tech­nol­o­gy (fin­tech) firms and com­pa­nies involved in trad­ing and com­pli­ance through­out the UK and Europe.

As of March 2022, Evil­Num was aimed at inter­gov­ern­men­tal orga­ni­za­tions that focused on inter­na­tion­al migra­tion sup­port, accord­ing to Proof­point, which point­ed out that these tar­gets were like­ly cho­sen “to coin­cide with the Rus­sia-Ukraine con­flict.” Evil­Num has evolved in recent months, with var­i­ous ver­sions uti­liz­ing a mix of ISO, Microsoft Word and Short­cut files to test deliv­ery mech­a­nisms for the malware.

Tar­get­ing finan­cial com­pa­nies that deal in cryp­tocur­ren­cy and oth­er cur­ren­cy and com­modi­ties exchange is a cal­cu­lat­ed choice, despite the poten­tial down­sides of this crim­i­nal activ­i­ty, accord­ing to Dov Lern­er, secu­ri­ty research lead at glob­al threat intel­li­gence firm Cyber­sixgill. In gen­er­al, while pay­ments in the dark web are made in cryp­tocur­ren­cy, actu­al prices are gen­er­al­ly list­ed in dol­lars, he point­ed out. “Cryp­tocur­ren­cy has always been very volatile,” Lern­er added, “so by peg­ging prices of goods and ser­vices to the dol­lar, the under­ground is built to be resilient to swings of cryp­to prices.”

“We’ve seen plen­ty of indi­ca­tions that run-of-the-mill dark web actors have lost a sig­nif­i­cant amount of mon­ey that they stored in cryp­tocur­ren­cy,” Lern­er said. “But we would imag­ine that the larg­er crim­i­nal enter­pris­es are more finan­cial­ly savvy and hedge their mon­ey in sev­er­al cur­ren­cies to avoid over­ex­po­sure to drops in cryp­to prices.”

In all like­li­hood, these increas­ing­ly oppor­tunis­tic attacks are one piece of a larg­er cyber­crime puz­zle, where syn­di­cates are using the access and the infor­ma­tion obtained through their mal­ware and back­doors to com­mit broad­er malfea­sance, accord­ing to DeGrippo.

“Threat actors often use what­ev­er means are nec­es­sary to make sure they obtain the finan­cial gain they’re after,” DeGrip­po said. “This could mean using mon­ey mules, laun­der­ing tra­di­tion­al cash through stolen bank accounts, or doing fraud in oth­er ways.”

Case in point: Gift card fraud has seen a sig­nif­i­cant increase in pop­u­lar­i­ty among threat actors and crim­i­nal groups “who don’t have high lev­el sophis­ti­ca­tion and easy access to mal­ware cam­paigns at scale,” DeGrip­po added. In fact, 73 mil­lion Amer­i­cans have recent­ly expe­ri­enced fraud involv­ing gift cards, accord­ing to the AARP. The Fed­er­al Trade Com­mis­sion said gift card fraud loss­es amount­ed to $233 mil­lion last year, near­ly dou­ble the $125 mil­lion lost in 2020.

Although Proof­point did not observe “fol­low-on pay­loads deployed in iden­ti­fied cam­paigns,” oth­er researchers had found that Evil­Num mal­ware tools are also avail­able via the Gold­en Chick­ens mal­ware-as-a-ser­vice, accord­ing to Proofpoint.

“Evil­Num mal­ware and the TA4563 group pos­es a risk to finan­cial orga­ni­za­tions,” the Proof­point research con­clud­ed. “TA4563 has adjust­ed their attempts to com­pro­mise the vic­tims using var­i­ous meth­ods of deliv­ery. [W]hilst Proof­point observed this activ­i­ty and pro­vid­ed detec­tion updates to thwart this activ­i­ty, it should be not­ed that a per­sis­tent adver­sary will con­tin­ue to adjust their pos­ture in their com­pro­mise attempts.”

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *