CyberWire Daily - Evilnum APT returns with new targets. [Research Saturday]
Episode Date: September 10, 2022Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT ...attack campaign that uses the document template on MS Office Word to inject malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures. Researchers have been closely monitoring Evilnum APT’s activity. They ssay ThreatLabz identified several domains associated with the Evilnum APT group. Which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time." The research can be found here: Return of the Evilnum APT with updated TTPs and new targets Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
What we saw since the beginning of 2022 was a lot of new campaigns where the tactics,
techniques and procedures that were being leveraged changed significantly.
That's Deepan Desai. He's Global CISO and Head of Security Research and Operations at Zscaler.
The research we're discussing today is titled Return of the Evil Num APT with Updated TTPs and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero
Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying
security management with AI-powered automation, and detecting threats using AI to analyze
over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Change in the targets was one of the things.
Change in the way the payloads were being delivered was another.
And the overall success in terms of staying undetected,
like some of the IOCs that were involved,
was also interesting in these campaigns.
And is that in general, I mean, point to a well-resourced,
well-funded, well-run organization?
That is, yes, usually the case of some of these well-funded, well-run organization? That is, yes, usually the case of some of these well-funded,
well-run APT groups that we observe.
It's just when we see a significant change
in some of the techniques that they've been using,
I mean, it's definitely much more undertaking on their part to go through.
And we'll talk about some of those techniques in this call.
Well, let's dig into some of the details then. I mean, do we want to start off?
Is it useful to have a little bit of history here of where EvilNum began,
the types of things that they were known for before we get into some of the changes? Yeah, absolutely. So, I mean, the key targets for EvilNum APT Group have been
primarily financial services organizations. And they were targeting companies dealing with
trading and compliance primarily in the region of UK and overall Europe, to be honest. So that's why we were seeing a lot of these activities.
What changed, and this is as of March of 2022,
we observed the update in terms of the choice of targets.
And one of the primary ones that really drew our attention
was them starting to target an intergovernmental organization,
which deals with international migration services. And the other interesting part was the timeline
of attack and the nature of the target chosen coincided with the Russia-Ukraine conflict as
well. Who do we suppose is behind Evil Numb? Do we have a good sense there?
That's where the attribution in terms of the country behind it, I would stay away from that
for this group. There are a couple regions, but yeah, this one will stay away from that.
Well, let's dig into some of the other things that you're observing here. I mean,
what are they up to these days that caught your eye?
I'll dive into the campaign that we uncovered
and then published our analysis.
Number one, back in the day they were using,
and this is as early as last year,
some of the campaigns that the team observed.
We noticed them using mostly Windows shortcut files,
which is LNK files sent inside a zip archive,
which are usually sent through email attachments
or getting a user to click on the link to download them.
In the most recent one, and I'm talking about the March one,
they started leveraging macro documents and using
template injection technique, which is used by many other groups as well. But what was unique
over here was they were also making use of something that we call VBA code stomping technique.
And I'll explain it in easier terms what that means.
It's a macro document using template injection leveraging VBA stomping
technique. The outcome of this is it is able to bypass a lot of static analysis
tools as well as also deters reverse engineering from
the security analysts. What the VBA code stomping technique does
is it essentially destroys the original source code
and only a compiled version of the VBA macro code
is stored inside the document.
It's also known as P code.
That's what causes the static tools at times to not detect this.
So it makes it more challenging to reverse engineer.
Yes, and that as well.
So detecting it using those static analysis tools
by various security engines, that becomes challenging.
And also to analyze by the researchers using automation
as well as even manually.
You need to have a few extra steps before you figure out what's going on.
So that's the stage one.
It starts with that, then it delivers a heavily obfuscated JavaScript,
which is further used to download and decrypt the encrypted binary on the endpoint.
So that's another way in which they are keeping
that final payload, shielded from getting detected.
And here as well, we saw several new techniques.
The way the code is obfuscated.
You will see many other groups leveraging obfuscated JavaScript as well.
But there are a few things that we have documented in our analysis.
One of the ones that I would call out is them making use of this shuffling technique.
In easier terms, think of an obfuscated JavaScript code where there's an array of strings, and
those strings are basically getting replaced by the actual code when the code becomes de-obfuscated.
And there are a lot of automated tools that are able to do this process of de-offuscation automatically.
With this shuffling technique, there is an added layer of obfuscation that happens
before you're able to replace those strings or variables with the actual piece of code.
So that also breaks a lot of the automation and makes it difficult for the static tools to detect.
So that's the second stage payload
where this Office-coded JavaScript is involved.
And that is responsible for, as I said,
decrypting the binary payload.
And at the binary payload stage,
they're again using a technique called Heaven's Gate technique. And this is not a new
technique. It has been used by other groups as well. It's basically a method
for running 64-bit code in a
32-bit process. And again, the goal over here is to
evade some of the security scanners when they're trying to
deliver this malicious payload.
Is it a case with obfuscation, as you're describing here?
Is this a bit of a cat and mouse thing
where you'll see innovation from the APT group
and then eventually will the tools used to analyze it
catch up to that?
Absolutely, yes.
I mean, there are new techniques that we observe being used by them.
And we always talk about how these APT groups have access to many of the tools
that us as security researchers have access to as well,
like things like VirusTotal or their own version of VirusTotal, for instance, where they will test out security scanners, they will test out even the publicly exposed sandboxes and figure out ways to folks discover them. They will try to make sure that the engines are updated
to handle that newer technique as well. So it is cat and mouse game. Now, the amount of
coverage that you are able to achieve with those updates, you shouldn't just add coverage for what
you just observed, but also take into account future variations.
They did this, they could do similar things on 10 other areas.
That will be the difference between the future campaigns being successful, as successful as the one which we just talked about.
Is it fair to say that for folks like yourself who are looking into this sort of thing,
For folks like yourself who are looking into this sort of thing, that's part of the fun is figuring out what's going on here and trying to see where they're going next?
Absolutely.
I mean, that's why most security folks will say there's never a dull day.
You're always learning newer stuff, right?
There's constant evolution happening on both sides of the table.
Well, let's talk about persistence. How do they maintain that?
In this case, and that was another part where they were trying to evade detection,
where they were making use of
the well-known process names from Windows OS
when the binary is getting dropped.
It's basically a spoof legitimate Windows, as well as some of the third-party binary
names that were being leveraged for dropping.
And to achieve persistence, they will basically create a scheduled task that will ensure that
the payload executes every time the Windows system starts.
Is there an effort to hide that as well, the scheduled tasks, to evade detection?
I mean, that's where the names that they're choosing, as well as the directory structure,
if you notice, they're putting the binary inside Microsoft font-related folders.
I see.
inside Microsoft font-related folders.
I see.
And then the name chosen for the schedule task is also update model task.
So it's fairly generic,
leveraging Microsoft font directory structure.
So yes, that basically helps them
hide the persistent command.
I see. No, it makes total sense.
Well, let's move on to the next stage then.
Where are they actually dropping on the system?
Yeah, so this is where once the binary is dropped in that fonts folder, that's where
it will be executed from.
And even on the execution stage, I mentioned about Heaven's Gate technique.
That's how the actual malicious payload,
the backdoor payload that will be responsible for CNC activity will get decrypted in the memory.
This binary will then choose the CNC domain for performing the command and control activity,
receiving commands, responding back with information
that the threat actor is interested in. Here as well, when we looked at the domains that were
involved, many of them were registered to match the target organization. So Some of them were typosquatted. Some of them were
matching well-known
services. Some of them
were even matching the themes
that were going on.
If you look at it, there's a
domain called
covdd.org.
It's a COVID-related domain
that was azuredcloud.com.
Another typos squatted domain.
Azure Cloud is what is being used.
There's a misspelled one for Norton Analytics
where the N is missing as part of the analytics.
Many of these domains, they manage to keep undetected
for months, actually.
What are they after here?
So this is definitely a financially motivated group.
They're after your dollars, right?
They will steal information.
Yeah, exactly.
And we've seen in the past them using crypto theme,
finance themes.
Their main motive is to gain dollars. So crypto finance and immigration is what we have seen in the past two years being leveraged as themes by this group.
And so what are your recommendations then for organizations to best protect themselves?
recommendations then for organizations to best protect themselves?
Yeah, so in this case, again, I always go back to the zero trust fundamental pillars, right?
Especially in this day and age where you have this
hybrid remote workforce, right? Folks coming into the office, folks
still working remote or doing both. You need to ensure
you have consistent security being applied to all your endpoints when they're
egressing to the internet.
So the four pillars that I always call out is prevent compromise.
That's where you ensure consistent security policies are applied no matter where your
endpoints are.
Prevent lateral movement.
The damage is fairly limited when they manage to hit one of your endpoints.
But as soon as that blast radius increases from one endpoint to your entire network,
that's when it translates into an organization-wide breach.
In this case, they will have access to a much broader data set.
So have controls in place like user-to-app, app-to-app micro-segmentation to prevent that lateral movement.
Prevent data exfiltration where you're actually inspecting everything that leaves your endpoints.
Very important to block this type of exfiltration attempts.
Very important to block this type of exfiltration attempts.
And then finally, you need to reduce your external attack surface.
Anything that is exposed to the internet is what many of these threat actors go after.
The easy entry points into your environment.
Now one specific engine, which I would like to say is a must-have for most enterprises that's what most security peers leaders that i talk to believe as well it's having the ability to perform
inline cloud sandboxing right as i described payloads are, the techniques that they were using brand new.
So unless you detonate that payload and observe the behavior and block it at the time the attack is happening,
that specific engine plays a very important role in achieving that.
It also strikes me that this could be a good case for the use of threat intelligence.
If you have someone on the lookout for things like the typo squatting, as you were saying,
registering domains that are similar to things that are of interest to your organization,
that could have value as well.
Absolutely.
Yeah, keeping an eye on newly registered domains,
as you mentioned, typosquatted domain detection.
And then ultimately when you discover these kind of things,
sharing is caring.
And having all the security vendors,
all the security community,
making them aware of these new TTPs.
So we all as a group come up with newer countermeasures,
whether it's adding coverage for the IOCs observed or whether it's adding coverage for the overall techniques
that were seen so that even if the IOCs change,
we're still able to block these type of attacks.
Our thanks to Deepan Desai from Zscaler for joining us.
The research is titled Return of the Evil Numb ATP with updated TTPs and new targets.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. Our amazing CyberWire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.