Evilnum

Introduction

Evilnum is a financially motivated threat group that has been active since at least 2018. ESET EvilNum July 2020

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1497.001 System Checks
• T1219.002 Remote Desktop Software
• T1539 Steal Web Session Cookie
• T1566.002 Spearphishing Link
• T1548.002 Bypass User Account Control
• T1070.004 File Deletion
• T1574.001 DLL
• T1204.001 Malicious Link
• T1555 Credentials from Password Stores
• T1105 Ingress Tool Transfer
• T1059.007 JavaScript

ATT&CK technique IDs (denormalized)

• T1059.007
• T1070.004
• T1105
• T1204.001
• T1219.002
• T1497.001
• T1539
• T1548.002
• T1555
• T1566.002
• T1574.001

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• GOlden Phoenix
• Cobalt Strike

MITRE ATT&CK Software

• More_eggs (S0284) — malware
• EVILNUM (S0568) — malware
• LaZagne (S0349) — tool

Attribution and Evidence

Information pending cataloguing.

References

[1] mitre-attack [3] ESET EvilNum July 2020 Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.