It has been revealed that the hack-for-hire group Evilnum (also known as Deathstalker) has recently been targeting travel agencies as part of a larger campaign against financial investment and legal organizations in Europe and the Middle East, which can be traced back to 2015.
Victims of this wave of cyber security threats are located in the UK, Egypt, Saudi Arabia, and the UAE, which is a revamped version of Janicab malware-enabled data breaches in 2022 and 2021. These types of cyber attacks use public platforms as dead-drop resolvers.
It is Believed That The Cyber Criminal Gang Offer Hacker For Hire Services
Earlier this week, SecureList by Kaspersky revealed in a report that the threat actor has been using Janicab and other back doors malware like Evilnum and PowerPepper to access sensitive data from corporations across the continents. Data harvested during these hacks include investments, trading operations, and customer lists. Information that has been stolen also includes email credentials, company presentations, and even internal company presentations.
This behaviour has led experts to believe that the threat group offers hacking-for-hire services. it is also possible that the cyber gang acts as a criminal information broker for financial information. It is believed that this may be used to blackmail high-profile organizations and individuals, harvest intelligence about acquisitions, and track financial assets. The Gang Uses Spear-Phish Tactics to Infiltrate Targeted Systems
The cybercriminal gang uses a spear-phishing attack to enable their intrusions into targeted systems by an attached ZIP archive embedded with an LNK-based dropper. Using a lure of a supposed attachment containing a corporate profile concerning power hydraulics, the hackers encourage the owner of targeted email addresses to open up the attached file. Once they do, a VBScript-based implant will be deployed, which enables both command execution and the deployment of other tools.
These tools have been known to remove audio recording features from systems, add a keylogger module, and implement checks for antivirus products. These functions are deployed among other hacker tools enabling criminals to access data and take control of key operating systems.
Evilnum has Previously Used YouTube Links to Facilitate Attacks.
The group made cyber security news in previous data breaches by using old and unlisted links to YouTube to host encoded strings. The Janicab malware then deciphered these to extract the IP address, which would give further commands and instructions for deployment.
These old, unlisted links are unlikely to be found otherwise, making them a highly effective tool that enables the cybercriminal gang to use C2 infrastructure during their attacks.
The most recent data breaches in 2022 have illustrated that Eilnum has been able to update and improvise new malware tools during the years it has been operating.
Organizations within the Financial and Legal Sectors are Advised to Monitor Cyber Security Risks
As the financial and legal sectors have been a consistent target for the threat actor, they have been advised to closely monitor the cyber security risks and internet explorer operations of their companies.