Threat Research

Return of the Evilnum APT with updated TTPs and new targets

Securonix

ThreatLabz tracks Evilnum APT activity from early 2022, noting a shift to targeted campaigns in UK/Europe FinTech and expanded targets including an intergovernmental migration organization. The updated campaign uses document template injection in MS Office Word, VBA code stomping, heavily obfuscated JavaScript, and a Heaven’s Gate–based loader to drop a mapped PE backdoor with C2 beacons. #EvilnumAPT #DocumentTemplateInjection

Keypoints

  • The Evilnum APT group has targeted FinTech/financial services entities in the UK and Europe, with later campaigns broadening to an intergovernmental migration services organization.
  • Attack flow includes Stage 1: malicious Word documents via spearphishing; Stage 2: macro template injection using VBA code stomping; Stage 3: dropped and deobfuscated JavaScript; Stage 4: a loader (SerenadeDACplApp.exe) delivered via a scheduled task; Stage 5: a mapped PE backdoor that handles C2 config and network beaconing.
  • Stage 2’s VBA macro uses template injection and a VBA code stomping technique to bypass static analysis and deter reverse engineering.
  • The JavaScript payloads are heavily obfuscated with string arrays and a unshuffle mechanism to thwart deobfuscation efforts.
  • The loader employs the Heaven’s Gate technique (NtOpenFile/NtReadFile) to load a decrypted PE into memory and execute it, aiming to evade endpoint security and memory scanners.
  • Persistence is achieved via a scheduled task named UpdateModel Task, which launches the loader with specific arguments from a configured path.
  • Beacons and C2 communications are driven by a list of compromised domains and unique URI paths, with data exfiltration formatted and encoded within cookie headers during beaconing.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The stage 1 malicious document is delivered via spear phishing email. “The stage 1 malicious document is delivered via spear phishing email.”
  • [T1221] Template Injection – Documents rely on template injection to deliver payloads. “leveraging document template injection to deliver the malicious payload to the victims’ machines.”
  • [T1027] Obfuscated/Compressed Files and Information – VBA macro uses code stomping to bypass static analysis. “VBA code stomping technique to bypass static analysis.”
  • [T1059.007] JavaScript – JavaScript payload is dropped and heavily obfuscated. “The stage 3 Dropped JavaScript… heavily obfuscated.”
  • [T1053.005] Scheduled Task – Persistence via a scheduled task (UpdateModel Task) to run the loader. “Persistence… via Scheduled task. During JavaScript execution, a scheduled task with the name ‘UpdateModel Task’ will be created…”
  • [T1055] Process Injection – Heaven’s Gate technique used to map and execute the loader in memory (NtOpenFile/NtReadFile). “Using the Heaven’s gate technique calls the NtOpenFile API to create a file handle”
  • [T1071.001] Web Protocols – C2 beacon and data exfiltration over web protocols using configured domains and paths. “The backdoor selects one of the C2 domains and a path string from the configuration and sends the beacon network request.”

Indicators of Compromise

  • [MD5] Document hashes – 0b4f0ead0482582f7a98362dbf18c219, 4406d7271b00328218723b0a89fb953b, and 2 more hashes
  • [MD5] Loader/Encrypted binary – ea71fcc615025214b2893610cfab19e9, 51425c9bbb9ff872db45b2c1c3ca0854, and 0 more
  • [Domains] C2 domains – travinfor[.]com, webinfors[.]com, and many more domains
  • [URI Path] Unique URI paths – /actions/async.php, /admin/settings.php, and other appended paths
  • [File name] Key payload artifacts – SerenadeDACplApp.exe, devZUQVD.tmp
  • [Scheduled Task] Task names – UpdateModel Task, PropertyDefinitionSync (and 1 more)

Read more: https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets