Evilnum Hacking Group Resurfaces With Spear Phishing Attacks on European Migration Organizations

The operations of Evilnum hackers have been watched closely by security analysts since 2020, with the threat actors’ activity traced back as early as 2018. The APT group is predominantly associated with the attacks on the FinTech sector in Europe, often classified as a financially motivated group. Sources claimed that the most recent spear phishing campaign targeting international migration services coincided in a number of parameters with the major escalation of the Russian invasion of Ukraine in February 2022.

The Evilnum APT group’s origins are still unclear. Still, evidence suggests that the hackers may be involved in espionage operations linked with the Belarusian cluster of cyber intrusion activity dubbed Ghostwriter.

Detect Evilnum’s Activity

To proactively defend against Evilnum APT, SOC Prime has released a unique, context-enriched Sigma rule developed by the perspicacious Threat Bounty developer Onur Atali:

Possible Evilnum APT Execution by Detection of Associated Commands (via cmdline)

The detection rule is compatible with the following industry-leading SIEM, EDR, and XDR technologies supported by SOC Prime’s platform: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, CrowdStrike, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059; T1059.001) as the main technique.

Hit the Detect & Hunt button to access a vast library of cyber threat detection content. All rules are mapped to the MITRE ATT&CK framework, thoroughly curated and verified. The Explore Threat Context button will reveal the latest content updates and the relevant threat context. 

Detect & Hunt Explore Threat Context

Evilnum Group Analysis

This latest wave of Evilnum’s malicious activity is aimed at European entities in international migration services. Zscaler’s researchers report that the Evilnum group’s arsenal utilized in these attacks differs from one used in previous campaigns. The threat actors used weaponized MS Office Word documents delivered via spear phishing email to deploy malicious payloads on target devices.

Evidence suggests that the payloads were decrypted and dropped using an uncommonly highly obfuscated JavaScript. The binary is executed by a scheduled task created during JavaScript execution. The threat actor carefully selected the names of every file system artifact generated during execution in order to mimic authentic Windows and other legitimate third-party binaries. Evilnum hackers achieve persistence within compromised systems and exfiltrate victims’ data.

To timely detect security violations, leverage the benefits of collaborative cyber defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail accurate and timely detections delivered by seasoned professionals from around the world to stay up to date on threat hunting, supercharge your SOC team’s operations and establish a defense-in-depth posture.