High
Evilnum group’s operations appear to be highly targeted towards the financial sector with a focus on the FinTech market by way of abusing the Know Your Customer regulations (KYC) documents with information provided by clients. The group recently showed some variations including a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed PyVil RAT. PyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials. It uses modified versions of legitimate executables employed in an attempt to remain undetected by security tools. The infection chain shows a shift from a JavaScript Trojan with backdoor capabilities to a multi-process delivery procedure of the payload. Unlike previous versions that possessed an array of functionalities, this version of the JavaScript acts mainly as a dropper and lacks any C2 communication capabilities.
For a deviation from previous tactics, this LNK file masquerades as a PDF whose content includes several documents, such as utility bills, credit card photos, and Drivers license photos. With this scheduled task, the second stage of retrieving the payload begins.