WordPress

TA4563 group leverages EvilNum malware to target European financial and investment entities – Security Affairs

Summary

A threat actor tracked as TA4563 is using EvilNum malware to target European financial and investment entities.

A threat actor, tracked as TA4563, leverages the EvilNum malware to target European financial and investment entities, Proofpoint reported. The group focuses on entities with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi).

The EvilNum is a backdoor that can allow attackers t…….

A menace actor tracked as TA4563 is using EvilNum malware To focus on European monetary and funding entities.

A menace actor, tracked as TA4563, leverages the EvilNum malware To focus on European monetary and funding entities, Proofpoint reported. The group focuses on entities with operations supporting overseas exchanges, cryptocurrency, and decentralized finance (DeFi).

The EvilNum is a backdoor Which will permit attackers to steal knowledge And cargo further payloads, it implements a quantity of elements to evade detection.

The TA4563 group is concentrating on numerous entities in Europe since late 2021.

Proofpoint researchers state their evaluation has some overlap with EvilNum exercise publicly reported by Zscaler in June 2022.  

The evaluation of a advertising campaign that started in December 2021 revealed that the attackers used messages Presupposed to be associated to monetary buying and promoting platform registration or associated docs. The attackers furtherly used weaponized Microsoft Phrase docs used To place in an up So far mannequin of the EvilNum backdoor.

“These messages used a distant template doc that analysts noticed Attempting to converse with domains To place in a quantity of LNK loader elements, leveraging wscript to load the EvilNum payload, and a JavaScript payload that was finally put in on the consumer’s host.” reads the evaluation revealed by Proofpoint. “These lures contained a monetary theme, suggesting on one event that the meant sufferer needed to submit “proof of possession of lacking docs”.”

In early 2022, the menace actors proceedd To focus on European monetary entities however used completely different methods. The malspam messages tried to ship a quantity of OneDrive URLs that contained both an ISO or .LNK attachment.

In completely different advertising campaigns, the messages have been shiping a compressed .LNK file.

In Mid 2022, menace actors modified as quickly as extra its method And commenced shiping Microsoft Phrase docs To purpose to acquire a distant template To start out EvilNum an infection.

“EvilNum malware and the TA4563 group poses a hazard to monetary organizations. Based mostly on Proofpoint evaluation, TA4563’s malware is beneath lively enchancment. Although Proofpoint Did not observe Adjust to-on payloads deployed in recognized advertising campaigns, third-celebration reporting signifies EvilNum malware Might Even be leveraged to distrihowevere further malware collectively with devices out there by way of the Golden Chickens malware-as-a-service.” concludes the report. “TA4563 has adjusted their makes an try to compromise the sufferers using numerous strategies of shipy, whereas Proofpoint noticed this exercise and provided detection updates to thwart this exercise, it Ought to be famous that a persistent adversary will proceed To regulate their posture Of their compromise makes an try.”

Follow me on Twitter: @securityaffairs and Fb

Pierluigi Paganini

(SecurityAffairs – hacking, TA4563)



<br …….

Source: https://securityaffairs.co/wordpress/133535/apt/ta4563-group-evilnum-malware.html