HQ/EMEAFind out how we can help your business
Travel, legal, and financial entities in the Middle East and Europe become the newest targets of the Evilnum hack-for-hire threat group, adding to its previous focus of only targeting the legal sector in attacks. Evilnum used an upgraded version of the Janicab malware in these campaigns, which can execute commands and deploy additional payloads.
In the past, the threat group has victimised entities from other countries, such as the UK, the UAE, Georgia, and Egypt. Thus, the recent observations of the group targeting legal firms in Saudi Arabia are marked as the first from the region.
Researchers shared details about the Evilnum threat group.
According to studies, the Evilnum hack-for-hire group (aka DeathStalker) have deployed several malware strains against victims, including Janicab, Powersing, and PowerPepper. These payloads are launched to steal data from the targets once they access their networks.
Furthermore, the group is observed to have been deploying attacks through a pattern, including collecting internal company presentations, email credentials, critical documents, software licenses, and investments and trading operations.
The researchers also explained that with the observed campaigns of the hack-for-hire group, they have been using an LNK-based dropper embedded in a ZIP file, where they typically propagate through spear-phishing.
The Janicab malware’s upgraded version includes a new keylogger feature, checking for active antivirus software, and acquiring a list of processes that could indicate malware analysis. Analysts also believe that the malware’s new version demonstrates additional stealthiness for longer periods.
Because of these threats, organisations, particularly travel, legal, and financial entities in the Middle East and Europe, are advised to monitor their computers’ Internet Explorer web browser processes. This advice comes from the Internet Explorer web browser being utilised in hidden mode to communicate with the hacking group’s remote C2 server.
Additionally, researchers presume that Evilnum’s intrusion against legal and financial entities is their attempt to keep an eye on tracking financial assets, steal business intelligence about mergers and acquisitions, monitor lawsuits, and blackmail high-profile personalities.
