As if cryptocurrency and decentralized finance (DeFi) players didn’t have enough to worry about from the recent market crash, according to research from Proofpoint, these companies are once again being targeted by a new malware that creates a backdoor for data theft.
Dubbed TA4563 by researchers, the threat actor has targeted its “EvilNum” malware at European finance and investment firms specializing in currency exchange and commodities, cryptocurrency and DeFi, installing a backdoor in their systems that allows cybercriminals to steal their valuable Steal information or sneak in. Wait for more opportunities to compromise these financial platforms. In fact, the EvilNum malware contains “several interesting components to evade detection and modify infection paths based on identified antivirus software,” according to key findings published by Proofpoint researchers.
The activity described in the EvilNum report includes low-level targeted activity, according to Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “Although the targeting includes organizations related to DeFi, the malware deployed is used for reconnaissance and data theft and is not specific to cryptocurrency theft,” DeGrippo said during an interview.
Proofpoint Threat Research has been using EvilNum to track the malware group and its attacks on various European financial and investment firms since late 2021. Recently, the threat group has been “exclusively” targeting the DeFi industry in its campaigns and has even overlapped in its activities with another black hat group called “DeathStalker”, which has been around for at least four years. In late June, Zscaler also released reports of EvilNum attacks it tracked earlier this year targeting financial technology (fintech) companies and businesses involved in commerce and compliance across the UK and Europe.
As of March 2022, EvilNum targeted intergovernmental organizations focused on international migration assistance, according to Proofpoint, which indicated that these targets were likely chosen “to coincide with the Russia-Ukraine conflict.” EvilNum has evolved over the past few months, with different versions using a mix of ISO, Microsoft Word and Shortcut files to test the malware’s delivery mechanisms.
According to Dov Lerner, head of security research at global threat intelligence firm Cybersixgill, despite the potential downsides of this criminal activity, targeting financial firms that trade in cryptocurrency and other currencies and commodity exchanges is a calculated decision. While payments on the dark web are generally made in cryptocurrency, actual prices are generally quoted in dollars, he pointed out. “Cryptocurrency has always been very volatile,” Lerner added, “so by pegging the prices of goods and services to the dollar, the underground is built to be resilient to swings in crypto prices.”
“We have seen many signs that run-of-the-mill dark web players have lost a significant amount of money that they have stored in cryptocurrency,” Lerner said. “But we would imagine the larger criminal establishments would be more financially savvy and multi-currency hedge their funds to avoid exposure to a fall in crypto prices.”
According to DeGrippo, these increasingly opportunistic attacks are in all likelihood part of a larger cybercrime puzzle, with syndicates using the access and intelligence gleaned through their malware and backdoors to commit broader wrongdoing, DeGrippo said.
“Threat actors often use whatever means necessary to ensure they get the desired financial gain,” DeGrippo said. “This could mean using money mules, laundering conventional cash via stolen bank accounts, or otherwise committing fraud.”
Case in point: The gift card scam is enjoying a significant increase in popularity among threat actors and criminal groups “that do not have a high level of sophistication and easy access to large-scale malware campaigns,” DeGrippo added. In fact, according to AARP, 73 million Americans have recently experienced gift card scams. The Federal Trade Commission said losses from gift card fraud totaled $233 million last year, nearly double the $125 million lost in 2020.
Although Proofpoint did not “observe any follow-up payloads deployed in identified campaigns,” other researchers had found that EvilNum malware tools are also available through Golden Chicken’s Malware-as-a-Service, according to Proofpoint.
“EvilNum malware and the TA4563 group pose a risk to financial organizations,” concluded Proofpoint research. “TA4563 has adapted its attempts to compromise victims using various delivery methods. [W]While Proofpoint monitored this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their stance as they attempt to compromise.”