Rewterz Threat Alert – Evilnum APT Group – Active IOCs

Severity

High

Analysis Summary

APT group Evilnum aka Jointworm has been seen targeting the financial sector with malicious emails. The group first seen in 2018 with the motivation of information theft and espionage has been active recently in an attempt to rob users of their credentials and gaining sensitive information for their gain. The group has primarily targeted fintech organizations based in Israel. These attacks have a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.

Impact

• Credential Theft
• Financial Loss
• Exposure of Sensitive Data

Indicators of Compromise

Filename

• HANSENThomasPassport[.]pdf[.]lnk

MD5

• 6b08457ccb9323dea938f6b097011f46
• b5af9624434cc642e1bcc0e09e0baf26
• eddb6385adcc3b7a58e85b03cac7b94b

SHA-256

• c35e76cbd4b2f6c8869566b2a7ea181dbd98dce251a611e03bb5a2fe1ee8708a
• 0e760e5a7fa21627d83c9a9f5f68d0c5f6ecfade4d6c89d84b8680f67b33262c
• 5e3ec2eae509b51930010aab4ce74804a70ceba5bce1a427548aff1b3f423d5d

SHA-1

• a929ee14a7611cadc6783aea2aef3e329fa4d9db
• 8a22435ec0f9185b6c1ea384ad8c690039a42622
• 5aeb24b023787877cbfb70d7e006271926339f57

URL

• https[:]//cdn[.]jsanalys[.]com/community/02/comm[.]png
• https[:]//cdn[.]cjsassets[.]com/wp-content/uploads/2021/08/202109[.]png

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Search for IOCs in your environment.