The Evilnum hacking group have been targeting European organisations that are involved in international migration, showing renewed signs of malicious activity within the group.
Zscaler’s analysts have discovered the latest exposure, having been tracking Evilnum’s activity since the beginning of 2022. They have captured various artefacts from the attacks.
The targeting and timing coincided with the Russian invasion of Ukraine, with key migration organisations receiving malicious emails containing macro-laden documents
The documents used by Evilnum in the campaign carry varying filenames, usually containing the term “compliance.” Zscaler identified at least nine different documents used, as mentioned in the IoC section of the report.
Additionally, the backdoor captures machine snapshots and sends them to the C2 via POST requests, exfiltrating stolen data in an encrypted form.
This, in turn, decrypts and drops a malware loader (“SerenadeDACplApp.exe”) and an encrypted binary (“devZUQVD.tmp”), and also creates a scheduled task (“UpdateModel Task”) for persistence.
In addition, the backdoor is capable of capturing system snapshots and transmitting them to the C2 server via POST requests. This allows the data to be exfiltrated in an encrypted format.