Pulse Detail — Threat Intelligence

PULSE NAME

EvilNum Targets Cryptocurrency, Forex, Commodities

WHITE TA4563 AlienVault 2022-07-22 Modified: 2022-07-22

IOCs

MEDIUM VOLUME

Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1547 T1140 T1027 T1566 T1059 T1057

MALWARE FAMILIES

EvilNum

Indicators of Compromise (37)

All email URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
email	arfeuille19@gmail.com	—	2022-07-22
URL	http://outlookfnd.com	—	2022-07-22
URL	http://visitaustriaislands.com	—	2022-07-22
FileHash-MD5	c73033ea7be3bb159c207c39e954ce18	MD5 of f0a002c7d2174f2a022d0dfdb0d83973c1dd96c4db86a2b687d14561ab564daa	2022-07-22
FileHash-SHA1	e332dcfcd946ae2cf5f0e97a1bdf6a93a68405a0	SHA1 of f0a002c7d2174f2a022d0dfdb0d83973c1dd96c4db86a2b687d14561ab564daa	2022-07-22
FileHash-SHA256	53ade63ba9938fd97542a0a725d82045f362766f24f0b1f414f4693d9919f631	—	2022-07-22
FileHash-SHA256	649183519d59ea332d687a01c37040b91da69232aadb0c1215c36a5b87ad2ec7	—	2022-07-22
FileHash-SHA256	da642cc233ea3595d8aaf8daf6129c59682b19462d5d5abb1f494042d4c044f4	—	2022-07-22
FileHash-SHA256	ef1a660ee8b11bbcf681e8934c5f16e4a249ba214d743bbf8b1f8043296b6ffc	—	2022-07-22
FileHash-SHA256	f0a002c7d2174f2a022d0dfdb0d83973c1dd96c4db86a2b687d14561ab564daa	—	2022-07-22
URL	http://advflat.com/save/user.php	—	2022-07-22
URL	http://elitefocuc.com/save/user.php	—	2022-07-22
URL	http://goalrom.com/admin/settings.php	—	2022-07-22
URL	http://hubflash.co/configuration.php	—	2022-07-22
URL	http://infntio.com/save/user.php	—	2022-07-22
URL	http://mailgunltd.com	—	2022-07-22
URL	http://officelivecloud.com	—	2022-07-22
URL	http://pngdoma.com/admin/index.php	—	2022-07-22
domain	advflat.com	—	2022-07-22
domain	azuredllservices.com	—	2022-07-22
domain	bookaustriavisit.com	—	2022-07-22
domain	bookingitnow.org	—	2022-07-22
domain	elitefocuc.com	—	2022-07-22
domain	estoniaforall.com	—	2022-07-22
domain	goalrom.com	—	2022-07-22
domain	hubflash.co	—	2022-07-22
domain	infntio.com	—	2022-07-22
domain	mailgunltd.com	—	2022-07-22
domain	moretraveladv.com	—	2022-07-22
domain	officelivecloud.com	—	2022-07-22
domain	outlookfnd.com	—	2022-07-22
domain	pngdoma.com	—	2022-07-22
domain	visitaustriaislands.com	—	2022-07-22
email	arole@delaware-north.com	—	2022-07-22
email	paul@christiesrealestate.uk	—	2022-07-22
email	sherry@schalapartners.com	—	2022-07-22
email	viktoria.helle79@zingamail.uk	—	2022-07-22

References (1)

↗ https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities