{"id":9270,"date":"2020-07-14T19:28:47","date_gmt":"2020-07-14T16:28:47","guid":{"rendered":"https:\/\/forklog.media\/?p=9270"},"modified":"2020-07-14T23:13:48","modified_gmt":"2020-07-14T20:13:48","slug":"hacker-group-targeting-fintech-companies-and-personal-data-has-been-under-radar-for-years-nod32-developer-finds","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hacker-group-targeting-fintech-companies-and-personal-data-has-been-under-radar-for-years-nod32-developer-finds\/","title":{"rendered":"Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds"},"content":{"rendered":"<p>Researchers from cybersecurity company ESET have <a href=\"https:\/\/www.welivesecurity.com\/2020\/07\/09\/more-evil-deep-look-evilnum-toolset\/\">published<\/a> a comprehensive paper on a little-known but apparently quite dangerous advanced persistent threat (APT) group Evilnum. The research outlines the major directions of the group\u2019s attacks and evaluates its threat level.<\/p>\n<p><!--more--><\/p>\n<p>The company is the developer of a popular antivirus software NOD32, among other things.<\/p>\n<p>According to ESET, Evilnum has been active since 2018. Since then the group has been steadily increasing the scope of its attacks and the number of malicious tools in its arsenal. Today it specializes mainly in stealing sensitive data from corporate networks. The data it steals can later be used for financial machinations or sold to other criminals.<\/p>\n<blockquote><p><b><i>\u201cAccording to ESET\u2019s telemetry, the targets are financial technology companies \u2013 for example, companies that offer platforms and tools for online trading. Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks,\u201d<\/i><\/b><i> the research notes.<\/i><\/p><\/blockquote>\n<h2><b>Line of Attack<\/b><\/h2>\n<p>The majority of Evilnum\u2019s targets are situated in the EU and the UK, but individual attacks have also been detected against Australian and Canadian companies.<\/p>\n<p>Some examples of the information this group steals include:<\/p>\n<ul>\n<li>Spreadsheets and documents with customer lists, investments, and trading operations<\/li>\n<li>Internal presentations<\/li>\n<li>Software licenses and credentials for trading software\/platforms<\/li>\n<li>Cookies and session information from browsers<\/li>\n<li>Email credentials<\/li>\n<li>Customer credit card information and proof of address\/identity documents\u201d<\/li>\n<\/ul>\n<p>Evilnum can also collect information related to the IT infrastructure of the victim company, such as VPN configurations.<\/p>\n<h2><b>Shady Allegiances<\/b><\/h2>\n<p>The research revealed that Evilnum is using malware created by a malware-as-a-service group Golden Chickens, that also provides malware to such notorious groups as FIN6 and Cobalt. Yet ESET does not believe these groups share allegiance with any specific government or political movement.<\/p>\n<blockquote><p><b><i>\u201cWe believe that FIN6, Cobalt Group, and Evilnum group are not the same, despite the overlaps in their toolsets. They just happen to share the same MaaS provider.\u201d<\/i><\/b><\/p><\/blockquote>\n<h2><b>Modus Operandi<\/b><\/h2>\n<p>The threat group uses spear-phishing emails to infect devices with Evilnum malware and other malicious scripts. A typical Evilnum attack involves the following steps: a user receives a phishing email with a link to Google Drive, containing a ZIP archive. This archive contains several LNK files that extract and launch a malicious JavaScript component when displaying an infected document.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/07\/01_file_extension.png\" alt=\"Archive with LNK files\" width=\"635\" height=\"385\" \/><\/p>\n<p><i>Archive with LNK files. Source:<\/i> <a href=\"https:\/\/www.welivesecurity.com\/2020\/07\/09\/more-evil-deep-look-evilnum-toolset\/\">Welivesecurity<\/a><b>\u00a0<\/b><\/p>\n<h2><b>Malicious LNK Files<\/b><\/h2>\n<p>Phishing emails are usually disguised as legitimate emails from tech support or customer service officers. Malicious LNK files in turn are disguised as images of credit cards and other identity-confirming documents, as many financial institutions require their clients to provide such data in line with KYC procedures.<\/p>\n<p>The main payload of Evilnum is aimed at collecting various confidential information, including passwords stored in Google Chrome, cookies from Google Chrome, basic information on PC\u2019s configuration and installed programs, It is even capable of saving desktop screenshots when a user moves the mouse cursor. And of course, it can stealthily run commands via cmd.exe.<\/p>\n<h2><b>Conclusion: an Underrated Threat<\/b><\/h2>\n<p>Researchers conclude that despite the group likely not being closely associated with any big-time players, it is still a major and underrated threat to certain specific parts of the industry:<\/p>\n<blockquote><p><b><i>\u201cThis group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group\u2019s use of legitimate tools in its attack chain, have kept its activiti<\/i><\/b><b><i>es largely under the radar.\u201d<\/i><\/b><\/p><\/blockquote>\n<p><i>by Constantine Golubev<\/i><\/p>\n<p><b>Follow us on\u00a0<\/b><a href=\"https:\/\/twitter.com\/forklogmedia\"><b>Twitter<\/b><\/a><b>\u00a0and\u00a0<\/b><a href=\"https:\/\/www.facebook.com\/forklogmedia\"><b>Facebook<\/b><\/a><b>\u00a0and join our\u00a0<\/b><a href=\"https:\/\/t.me\/forklogmedia\"><b>Telegram channel<\/b><\/a><b>\u00a0to know what\u2019s up with crypto and why it\u2019s important.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers from cybersecurity company ESET have published a comprehensive paper on a little-known but apparently quite dangerous advanced persistent threat (APT) group Evilnum. The research outlines the major directions of the group\u2019s attacks and evaluates its threat level.<\/p>\n","protected":false},"author":6,"featured_media":9271,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"human_written","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[82,100,573],"class_list":["post-9270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-fintech","tag-malware","tag-privacy"],"aioseo_notices":[],"amp_enabled":true,"views":"338","promo_type":"1","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=9270"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9270\/revisions"}],"predecessor-version":[{"id":9273,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9270\/revisions\/9273"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/9271"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=9270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=9270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=9270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}