ETDA ThaiCERT
Report
Search
Home > List all groups > Evilnum

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Evilnum

NamesEvilnum (Palo Alto)
Jointworm (Symantec)
Country[Unknown]
MotivationInformation theft and espionage
First seen2018
Description(Palo Alto) We witnessed attacks targeting the financial technology (FinTech) sector, primarily focused on organizations based in Israel. While researching these attacks, we discovered a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.
ObservedSectors: Financial.
Countries: Albania, Australia, Belgium, Canada, Cyprus, Czech, Israel, Italy, UK, Ukraine.
Tools usedBypass-UAC, Cardinal RAT, ChromeCookiesView, Evilnum, IronPython, LaZagne, MailPassView, More_eggs, ProduKey, PyVil RAT, TerraPreter, TerraStealer, TerraTV.
Operations performedMay 2020Operation “Phantom in the [Command] Shell”
Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020.
<https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html>
Aug 2020In recent weeks, the Nocturnus team has observed new activity by the group, including several notable changes from tactics observed previously.
<https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat>
Information<https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/>
<https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/>
<https://github.com/eset/malware-ioc/tree/master/evilnum>
<https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf>

Last change to this card: 20 October 2020

Download this actor card in PDF or JSON format

Previous: Evil Eye
Next: FIN4, Wolf Spider

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key