The Evilnum group operations were first discovered in 2018. The group is highly focused on attacks on large financial technology organizations, especially on investment platforms and cryptocurrency-related companies. Most of their targets are located in Europe and the United Kingdom, but the group also carried out separate attacks on organizations in Canada and Australia. Researchers attribute this geography to the fact that most of the attacked companies have offices in several countries, and the attackers choose the one that is least protected.
The Evilnum often uses LOLBins and common tools that can be purchased on the underground forums, and this complicates the attribution of attacks. Investigating recent attacks, researchers have discovered new malware in the arsenal of the group – Python-scripted Remote Access Trojan dubbed PyVil RAT. The trojan is modular and can download new modules that expand its functionalities. PyVil RAT can act as a keylogger and is capable of performing reconnaissance, taking screenshots, running cmd commands, opening an SSH shell, and installing additional malicious tools.
Ariel Millahuel released new community threat hunting rule that helps to uncover traces of PyVil RAT in an organization’s network and disrupt the Evilnum group’s espionage activities: https://tdm.socprime.com/tdm/info/YgyDYAROBUOq/iYKSaHQBPeJ4_8xclmRF/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Execution, Defense Evasion
Techniques: Command-Line Interface (T1059), Obfuscated Files or Information (T1027)