Home Malware Programs Malware EVILNUM

EVILNUM

Posted: May 7, 2020

EVILNUM is a backdoor Trojan that provides attackers with access to your PC, including features for installing more threats or collecting data. EVILNUM campaigns target financial technology companies preferentially, those within Israel particularly. Users on vulnerable Windows systems can identify and remove EVILNUM through the usual anti-malware products, although database updates are highly advisable for improving the detection rates.

The First Little Step in a Lot of Negative Numbers

As a semi-surprising addendum to the tale of the niche Cardinal RAT, another family of threats – and ones with very similar capabilities – is getting anti-security updates. The crossover between the Cardinal RAT and the second Trojan, EVILNUM, suggests the same threat actors at work, with EVILNUM serving as the opening gambit that surveys the landscape for future exploiting. Although reports date to 2019, its updates are ongoing into 2020.

EVILNUM consists of both JavaScript and .NET Framework versions, and in either case, is a first-stage backdoor Trojan. Most versions propagate from corrupted LNK files, although the threat actors also have a long history of using well-crafted, specialized documents with macros, and similar exploits. The targets are, almost always, financial technology organizations operating inside of Israel.

As a backdoor Trojan, EVILNUM may download files onto your computer, such as other Trojans, or upload collected content. It also includes a general-purpose command-running feature and some limited browser-spying features (related to temporary cookie files). Most impressive is its obfuscation, which is in keeping with the previous habits malware researchers confirm with the Cardinal RAT's admins. It receives semi-regular updates, hides its Command & Control traffic through one-way data passes to third-party Websites, and has security-bypassing functions specific to the services of significant cyber-security companies.

Taking Evil Out of the Math Equation

EVILNUM's deployment is that of a first-stage threat or a tool that gives the attackers the ability to observe the environment and deciding whether or not to exploit it further. Although its campaigns are concerned monetarily, its distribution is far from random, and malware researchers have yet to identify samples from victims outside of the Israeli fintech demographic. However, some attacks by the same threat actors also responsible for the Cardinal RAT have taken place elsewhere, such as Japan.

Workers in at-risk companies can guard against attacks by watching this Trojan's most-noted infection vectors. E-mail attachments and links are probable sources of EVILNUM infections for LNK files inside of ZIPs (a simple method of concealing the threat from being detected), particularly. They also may expect updates to EVILNUM on an incident-by-incident basis, which can complicate its identification or removal.

Victims should disconnect from all networks immediately and assume that the attackers have possession of login credentials and similar intelligence. Updated anti-malware solutions remain preferable for deleting EVILNUM, if at all possible, along with anything it might download onto the infected computer.

Everyone may want money, but the tactics one uses for making it reveal much about one's character. In EVILNUM's case, the threat actor pairs greed with an impressive work ethic that makes EVILNUM all the more threatening for anyone clicking on files carelessly.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to EVILNUM may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

* See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Loading...
Spywareremove.com uses cookies to provide you with a better browsing experience and analyze how users navigate and utilize the Site. By using this Site or clicking on "OK", you consent to the use of cookies. Learn more.