Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.
According to a new report from Proofpoint, the first email campaign was last December, with the initial campaign attempting to deliver Word documents that could install an updated version of the backdoor. The files contained social-engineering phishing tactics aimed at financial institutions, in one case suggesting the recipient must submit “proof of ownership of missing documents.”
In later campaigns, the group tried to deliver multiple OneDrive URLs containing either an ISO attachment or shortcut file (.LNK). Then, the group again switched tactics midway through 2022, reverting back to Word files to entice victims to download a remote template, instead sending the victim to an actor-controlled domain delivering the Evilnum payload.
“Each campaign is highly fenced; the malware only allows one download per IP address to ensure only the target host can retrieve the final payload,” the report, issued Thursday, notes.
The Evilnum backdoor, first observed in 2020, can be used for data theft, reconnaissance, or to load additional payloads — it’s often a fixture in cyber-espionage campaigns.
Evilnum: Under Active Development
Based on Proofpoint’s analysis, the malware also contains multiple evasion mechanisms and is under ongoing development.
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, says this suggests the threat actors may incorporate new features of the malware to evade detection and improve efficacy in the campaigns.
“The use of Microsoft Word and .LNK files to launch malware, as well as other different delivery methods, allows the actor to experiment with what works or has a higher likelihood of achieving an infection,” she adds.
She points out most targets generally have a potential financial windfall for the threat actor, and notes DeFi is a new, loosely regulated industry with many new technologies that may not be fully vetted or secured.
“It’s an emerging, target-rich environment for threat actors to potentially benefit from,” she says, adding that this particular campaign is targeting European organizations.
Emerging DeFi Industry a Prime Cyber Target
Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.
Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out the DeFi industry is still relatively new and reliant on open source platforms.
She explains open source means the source code is publicly available, which makes it easier for cybercriminals to identify potential flaws.
“Cybercriminals may also be drawn to the billions of dollars held within DeFi platforms,” she adds.
Additionally, Hoffman says many DeFi platforms have cross-chain bridges, allowing users to transfer funds across multiple blockchains easily.
“This inadvertently allows malicious actors to disburse their stolen funds across multiple blockchains quickly,” she says.
Hoffman says DeFi developers are learning “the hard way” that security needs to be a part of the development process from the beginning.
“The developers must address all security flaws and protect people’s funds if they want continuous buy-in,” she says. “Otherwise, the market will likely flop. Until these vulnerabilities are addressed, there will likely be more opportunistic attackers looking to make fast cash.”
Growing Pool of Victims as Investment in DeFi Rises
DeGrippo adds that more people are aware of and investing in decentralized finance and cryptocurrency resources, so there is an increasing pool of potential victims for threat actors to target.
“Additionally, they may use different lure themes to target cryptocurrency-related products and services,” she says.
She explains it’s important that these organizations ensure employees are trained to identify and report suspicious emails.
From a technology perspective, they can also “restrict the use of container files such as ISO and LNK files, especially those downloaded from the internet,” she says, and “block RTF files from being downloaded or accessed from Word where applicable.”
The eponymous group behind Evilnum malware has been targeting financial institutions since its emergence in 2018 and has steadily evolved its methods, adopting a Python remote access Trojans (RATs) to carry out well-crafted spear-phishing attacks.