EVILNUM

EVILNUM is a backdoor Trojan that provides attackers with access to your PC, including features for installing more threats or collecting data. EVILNUM campaigns target financial technology companies preferentially, those within Israel particularly. Users on vulnerable Windows systems can identify and remove EVILNUM through the usual anti-malware products, although database updates are highly advisable for improving the detection rates.

The First Little Step in a Lot of Negative Numbers

As a semi-surprising addendum to the tale of the niche Cardinal RAT, another family of threats – and ones with very similar capabilities – is getting anti-security updates. The crossover between the Cardinal RAT and the second Trojan, EVILNUM, suggests the same threat actors at work, with EVILNUM serving as the opening gambit that surveys the landscape for future exploiting. Although reports date to 2019, its updates are ongoing into 2020.

EVILNUM consists of both JavaScript and .NET Framework versions, and in either case, is a first-stage backdoor Trojan. Most versions propagate from corrupted LNK files, although the threat actors also have a long history of using well-crafted, specialized documents with macros, and similar exploits. The targets are, almost always, financial technology organizations operating inside of Israel.

As a backdoor Trojan, EVILNUM may download files onto your computer, such as other Trojans, or upload collected content. It also includes a general-purpose command-running feature and some limited browser-spying features (related to temporary cookie files). Most impressive is its obfuscation, which is in keeping with the previous habits malware researchers confirm with the Cardinal RAT's admins. It receives semi-regular updates, hides its Command & Control traffic through one-way data passes to third-party Websites, and has security-bypassing functions specific to the services of significant cyber-security companies.

Taking Evil Out of the Math Equation

EVILNUM's deployment is that of a first-stage threat or a tool that gives the attackers the ability to observe the environment and deciding whether or not to exploit it further. Although its campaigns are concerned monetarily, its distribution is far from random, and malware researchers have yet to identify samples from victims outside of the Israeli fintech demographic. However, some attacks by the same threat actors also responsible for the Cardinal RAT have taken place elsewhere, such as Japan.

Workers in at-risk companies can guard against attacks by watching this Trojan's most-noted infection vectors. E-mail attachments and links are probable sources of EVILNUM infections for LNK files inside of ZIPs (a simple method of concealing the threat from being detected), particularly. They also may expect updates to EVILNUM on an incident-by-incident basis, which can complicate its identification or removal.

Victims should disconnect from all networks immediately and assume that the attackers have possession of login credentials and similar intelligence. Updated anti-malware solutions remain preferable for deleting EVILNUM, if at all possible, along with anything it might download onto the infected computer.

Everyone may want money, but the tactics one uses for making it reveal much about one's character. In EVILNUM's case, the threat actor pairs greed with an impressive work ethic that makes EVILNUM all the more threatening for anyone clicking on files carelessly.