Rewterz Threat Alert – Evilnum APT Group – Active IOCs

Severity

High

Analysis Summary

APT group Evilnum aka Jointworm has been seen targeting the financial sector with malicious emails. The group first seen in 2018 with the motivation of information theft and espionage has been active recently in an attempt to rob users of their credentials and gaining sensitive information for their gain. The Evilnum APT group has mostly targeted FinTech (financial services) sector, particularly those in the UK and Europe that deal with trading and compliance. However, in March, 2022, the group targets Intergovernmental organizations that offer assistance related to international migration.
EVILNUM is a JavaScript-based malware family. A heavily obfuscated JavaScript was used in recent campaigns for dropping the payloads and decryption. Compared to previous versions used by EvilNum APT, this JavaScript has significant improvements in the obfuscation technique. 

According to researchers, the APT group registered several domain names using particular keywords relating to the industry vertical targeted in each new instance of the campaign.

• Image source:

Evilnum APT group affects multiple European countries with its latest ongoing campaign ‘Operation DarkCosino’ and delivered new components: DarkMe and PikoloRAT.

Impact

• Exposure of Sensitive Data
• Information Theft and Espionage

Indicators of Compromise

Domain Name

• c9spus[.]com

MD5

• cec06262d1d35f8ea013670c540e30e8
• 4b357bdd7d34050f85b7ef1d497a87dc

SHA-256

• 29d75b3b0f509dfd3150edc06be9cbe4053ce41a892403ec94b9187f44dda643
• 74329f3585df9b4ac4a0bc4476369dc08975201d7fc326d2b0f7b7a4c1eab22b

SHA-1

• 16900554bca686c5244dd1613e73f4bbc278a856
• 5ee0c0cbf3470dcd19be8df1f98853bd3125422a

Remediation

• Search for IOCs in your environment.
• Block all threat indications at their respective controls.