• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-3495 – Critical Code Execution Flaw in Cisco Jabber for Windows
September 4, 2020
Rewterz Threat Alert – TA505 Active Again – Fresh IoCs
September 4, 2020

Rewterz Threat Alert – Evilnum Targets Financial Sector With Pyvil RAT

September 4, 2020

Severity

High

Analysis Summary

Evilnum group’s operations appear to be highly targeted towards the financial sector with a focus on the FinTech market by way of abusing the Know Your Customer regulations (KYC) documents with information provided by clients. The group recently showed some variations including a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed PyVil RAT. PyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials. It uses modified versions of legitimate executables employed in an attempt to remain undetected by security tools. The infection chain shows a shift from a JavaScript Trojan with backdoor capabilities to a multi-process delivery procedure of the payload. Unlike previous versions that possessed an array of functionalities, this version of the JavaScript acts mainly as a dropper and lacks any C2 communication capabilities.

Evilnum4

For a deviation from previous tactics, this LNK file masquerades as a PDF whose content includes several documents, such as utility bills, credit card photos, and Drivers license photos. With this scheduled task, the second stage of retrieving the payload begins. 

Evilnum9

Impact

  • Data Exfiltration
  • Information Theft
  • Credential Theft
  • Unauthorized Access

Indicators of Compromise

Domain Name

  • voipasst[.]com
  • voipreq12[.]com
  • telecomwl[.]com
  • crm-domain[.]net
  • leads-management[.]net
  • fxmt4x[.]com
  • xlmfx[.]com
  • telefx[.]net
  • voipssupport[.]com
  • trquotesys[.]com
  • extrasectr[.]com
  • veritechx[.]com
  • quotingtrx[.]com
  • vvxtech[.]net
  • corpxtech[.]com

SHA-256

  • db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
  • 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
  • c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
  • f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
  • cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
  • 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
  • 0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
  • e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
  • a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
  • 79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c

Source IP

  • 193[.]56[.]28[.]201
  • 185[.]236[.]230[.]25

Remediation

  • Block the threat indicators at their respective controls. 
  • Do not download files from unexpected emails even if they look legitimate. 
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.