Threat Management, Malware, Network Security

‘EvilNum’ malware targets European financial exchanges, crypto with backdoor attacks

Stickers depicting Guy Fawkes masks (Anonymous mask) and the bitcoin logo
Cybercriminals are targeting European financial firms with the "EvilNum" malware that creates a backdoor into their systems, Proofpoint researchers said. (Photo by Marco Bello/Getty Images)

As if cryptocurrency and decentralized finance (DeFi) players didn't have enough to worry about with the recent market crash, these companies are again under assault from a new malware that creates a backdoor to steal data, according to research from Proofpoint.

Threat actor dubbed TA4563 by researchers has been aiming its “EvilNum” malware at European financial and investment firms that specialize in foreign currency exchange and commodities, cryptocurrency and DeFi, placing a backdoor in their systems that allows cybercriminals to steal their valuable information or lay in wait for more opportunities to compromise these financial platforms. Indeed, the EvilNum malware “includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software,” according to the key findings published by Proofpoint researchers.

The activity described in the EvilNum report includes low-volume, targeted activity, according to Sherrod DeGrippo, vice president for threat research and detection for Proofpoint. “Although the targeting includes organizations related to DeFi, the malware deployed is used for reconnaissance and data theft and is not specific to cryptocurrency theft," said DeGrippo during an interview.

Proofpoint Threat Research has been tracking the malware group and its attacks on various European financial and investment firms with EvilNum since late 2021. Lately, the threat group has been “exclusively targeting” the DeFi industry in its campaigns, and has even overlapped in its activities with another black-hat group known as “DeathStalker,” which has been around at least four years. In late June, Zscaler also published reports of EvilNum attacks it had been following earlier this year, which were aimed at financial technology (fintech) firms and companies involved in trading and compliance throughout the UK and Europe.

As of March 2022, EvilNum was aimed at intergovernmental organizations that focused on international migration support, according to Proofpoint, which pointed out that these targets were likely chosen “to coincide with the Russia-Ukraine conflict.” EvilNum has evolved in recent months, with various versions utilizing a mix of ISO, Microsoft Word and Shortcut files to test delivery mechanisms for the malware.

Targeting financial companies that deal in cryptocurrency and other currency and commodities exchange is a calculated choice, despite the potential downsides of this criminal activity, according to Dov Lerner, security research lead at global threat intelligence firm Cybersixgill. In general, while payments in the dark web are made in cryptocurrency, actual prices are generally listed in dollars, he pointed out. “Cryptocurrency has always been very volatile,” Lerner added, “so by pegging prices of goods and services to the dollar, the underground is built to be resilient to swings of crypto prices.”

“We've seen plenty of indications that run-of-the-mill dark web actors have lost a significant amount of money that they stored in cryptocurrency,” Lerner said. “But we would imagine that the larger criminal enterprises are more financially savvy and hedge their money in several currencies to avoid overexposure to drops in crypto prices.”

In all likelihood, these increasingly opportunistic attacks are one piece of a larger cybercrime puzzle, where syndicates are using the access and the information obtained through their malware and backdoors to commit broader malfeasance, according to DeGrippo.

“Threat actors often use whatever means are necessary to make sure they obtain the financial gain they’re after,” DeGrippo said. “This could mean using money mules, laundering traditional cash through stolen bank accounts, or doing fraud in other ways.”

Case in point: Gift card fraud has seen a significant increase in popularity among threat actors and criminal groups “who don’t have high level sophistication and easy access to malware campaigns at scale,” DeGrippo added. In fact, 73 million Americans have recently experienced fraud involving gift cards, according to the AARP. The Federal Trade Commission said gift card fraud losses amounted to $233 million last year, nearly double the $125 million lost in 2020.

Although Proofpoint did not observe “follow-on payloads deployed in identified campaigns,” other researchers had found that EvilNum malware tools are also available via the Golden Chickens malware-as-a-service, according to Proofpoint.

“EvilNum malware and the TA4563 group poses a risk to financial organizations,” the Proofpoint research concluded. “TA4563 has adjusted their attempts to compromise the victims using various methods of delivery. [W]hilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.