Evilnum

Evilnum is a financially motivated threat group that has been active since at least 2018.[1]

ID: G0120
Version: 1.0
Created: 22 January 2021
Last Modified: 27 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Evilnum has used PowerShell to bypass UAC.[1]

Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Evilnum has used malicious JavaScript files on the victim's machine.[1]

Enterprise T1555 Credentials from Password Stores

Evilnum can collect email credentials from victims.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Evilnum has deleted files used during infection.[1]

Enterprise T1105 Ingress Tool Transfer

Evilnum can deploy additional components or tools as needed.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.[1]

Enterprise T1219 Remote Access Software

EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines.[1]

Enterprise T1539 Steal Web Session Cookie

Evilnum can steal cookies and session information from browsers.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. [1]

Software

ID Name References Techniques
S0568 EVILNUM [2] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Exfiltration Over C2 Channel, Indicator Removal on Host, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Modify Registry, Signed Binary Proxy Execution: Regsvr32, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, Steal Web Session Cookie, System Information Discovery, System Owner/User Discovery, Web Service: One-Way Communication, Windows Management Instrumentation
S0349 LaZagne [1] Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Keychain, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0284 More_eggs [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Owner/User Discovery

References