Evilnum employs PyVil RAT to target fintechs

The group has a history of abusing the Know Your Customer (KYC) regulations to target financial technology firms

Researchers at Cybereason Nocturnus say that the Evilnum advanced persistent threat (APT) group has been using a new Python-based remote access trojan (RAT) in attempts to steal sensitive data from financial technology organisations.

The group's main goal is to spy on its targets and exfiltrate VPN passwords, email credentials, classified documents and browser cookies.

Evilnum first appeared in 2018, when it employed a variety of attack tactics to target fintech firms across the UK and Europe. The group specifically used spear-phishing emails to pass malicious files as scans of utility bills, credit cards, driving licenses and other verification documents required by know-your-customer (KYC) regulations in the financial sector.

The researchers suspect that Evilnum also provides APT-style hacker-for-hire services to other threat groups.

Cybereason researchers, who have been observing Evilnum for the past two years, claim to have noticed many changes in its infrastructure and infection chain, enabling the group to evade detection.

Instead of using multiple LNK files posing as pictures, Evilnum's ZIP archives now contain a single LNK file, impersonating a PDF document with scans of KYC documents. JavaScript attached to this file serves as a dropper. Instead of a large JavaScript-based Trojan, it deploys the 'PyVil' RAT written in Python.

According to researchers, PyVil is designed with a multitude of capabilities, such as downloading additional Python scripts, delivering more executables, stealing credentials, opening SSH shells and running commands on the system.

The malware is also able to take screenshots, perform keylogging and gather vital information, such as the antivirus products installed on the system, the Chrome version running and connected USB devices.

The code within the executable remains concealed under extra layers to prevent decompilation of the payload and to enable the RAT to perform its functions.

The researchers have also noticed the PyVil RAT downloading a custom version of a password dumping tool called LaZagne. This post-exploitation tool is written in Python and is popular among penetration testers. It can extract passwords from various applications, including chat programmes, browsers, databases, games and more.

"This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group's arsenal continues to grow," the researchers said.