Level 4
ESET research gives a detailed picture of the operations of the Evilnum group and its toolkit deployed in attacks against carefully chosen targets in the fintech sector

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates.
In this article we connect the dots and disclose a detailed picture of Evilnum’s activities. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.
According to ESET’s telemetry, the targets are financial technology companies – for example, companies that offer platforms and tools for online trading. Although most of the targets are located in EU countries and the UK, we have also seen attacks in countries such as Australia and Canada. Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks.
The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers. Some examples of the information this group steals include:
  • Spreadsheets and documents with customer lists, investments and trading operations
  • Internal presentations
  • Software licenses and credentials for trading software/platforms
  • Cookies and session information from browsers
  • Email credentials
  • Customer credit card information and proof of address/identity documents
According to what we have seen during our investigation, the group has also gained access to IT-related information such as VPN configurations.