1. Home
  2. Groups
  3. Evilnum

Evilnum

Evilnum is a financially motivated threat group that has been active since at least 2018.[1]

ID: G0120
Version: 1.0
Created: 22 January 2021
Last Modified: 27 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 从密码存储中获取凭证

Evilnum can collect email credentials from victims.[1]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.[1]

Enterprise T1059 .007 命令与脚本解释器: JavaScript

Evilnum has used malicious JavaScript files on the victim's machine.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Evilnum has used PowerShell to bypass UAC.[1]
Enterprise T1204 .001 用户执行: Malicious Link

Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.[1]
Enterprise T1070 .004 移除指标: File Deletion

Evilnum has deleted files used during infection.[1]
Enterprise T1539 窃取Web会话Cookie

Evilnum can steal cookies and session information from browsers.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. [1]
Enterprise T1105 输入工具传输

Evilnum can deploy additional components or tools as needed.[1]
Enterprise T1219 远程访问软件

EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines.[1]
Enterprise T1566 .002 钓鱼: Spearphishing Link

Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.[1]

Software

ID Name References Techniques
S0568 EVILNUM [2] Windows管理规范, 修改注册表, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 移除指标, 移除指标: Timestomp, 窃取Web会话Cookie, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 网络服务: One-Way Communication, 软件发现: Security Software Discovery, 输入工具传输, 通过C2信道渗出
S0349 LaZagne [1] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0284 More_eggs [1] 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 颠覆信任控制: Code Signing

References

  1. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  1. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.