Evilnum

Description

(Palo Alto) We witnessed attacks targeting the financial technology (FinTech) sector, primarily focused on organizations based in Israel. While researching these attacks, we discovered a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.

There is overlap between this group and Deceptikons, DeathStalker.

Names

Name	Name-Giver
Evilnum	Palo Alto
Jointworm	Symantec
TA4563	Proofpoint

Country

Unknown

Motivation

Information theft and espionage

First Seen

2018

Observed Sectors

Observed Countries

Tools

Operations

2020-05: Operation “Phantom in the [Command] Shell” Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020. https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html
2020-08: In recent weeks, the Nocturnus team has observed new activity by the group, including several notable changes from tactics observed previously. https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat
2021-12: Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities
2022: Return of the Evilnum APT with updated TTPs and new targets https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets

Information

Mitre Attack

https://attack.mitre.org/groups/G0120/

Other Information

Uuid

e5ad7790-80c8-4319-a52e-469e20c95573

Last Card Change

2022-12-30

Threat Intelligence Garden

Explorer

Evilnum

Evilnum

Description

Names

Country

Motivation

First Seen

Observed Sectors

Observed Countries

Tools

Operations

Information

Mitre Attack

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks