The operations of Evilnum hackers have been watched closely by security analysts since 2020, with the threat actors’ activity traced back as early as 2018. The APT group is predominantly associated with the attacks on the FinTech sector in Europe, often classified as a financially motivated group. Sources claimed that the most recent spear phishing campaign targeting international migration services coincided in a number of parameters with the major escalation of the Russian invasion of Ukraine in February 2022.
The Evilnum APT group’s origins are still unclear. Still, evidence suggests that the hackers may be involved in espionage operations linked with the Belarusian cluster of cyber intrusion activity dubbed Ghostwriter.
The detection rule is compatible with the following industry-leading SIEM, EDR, and XDR technologies supported by SOC Prime’s platform: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.
The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059; T1059.001) as the main technique.
Hit the Detect & Hunt button to access a vast library of cyber threat detection content. All rules are mapped to the MITRE ATT&CK framework, thoroughly curated and verified. The Explore Threat Context button will reveal the latest content updates and the relevant threat context.
This latest wave of Evilnum’s malicious activity is aimed at European entities in international migration services. Zscaler’s researchers report that the Evilnum group’s arsenal utilized in these attacks differs from one used in previous campaigns. The threat actors used weaponized MS Office Word documents delivered via spear phishing email to deploy malicious payloads on target devices.
To timely detect security violations, leverage the benefits of collaborative cyber defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail accurate and timely detections delivered by seasoned professionals from around the world to stay up to date on threat hunting, supercharge your SOC team’s operations and establish a defense-in-depth posture.