Evilnum

Evilnum is a financially motivated threat actor associated with targeting traders, brokerage customers, and financial trading platforms. The content links Evilnum to the DarkMe malware and states that Group-IB attributed DarkMe to Evilnum. Reporting in the content also states that WaterHydra/DarkCasino splintered from Evilnum in late 2022, and that later WaterHydra activity shared a developer path (C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb) with a July 2022 Evilnum-linked DLL, indicating lineage between the groups. Observed tradecraft in the content includes spearphishing emails containing links to ZIP archives hosted on Google Drive, as well as lures designed to trick recipients into opening malicious shortcut links that result in .LNK download and execution. Evilnum has used malicious JavaScript files on victim machines, used PowerShell to bypass User Account Control, and used TerraLoader to check hardware and file information for sandbox detection. The actor can collect email credentials, obtain usernames from victim machines, and steal browser cookies and web session information. Evilnum has also used Windows Management Instrumentation (WMI) to enumerate infected machines, deployed additional components or tools as needed, and deleted files used during infection for cleanup. The content states that Evilnum used the TerraTV malware variant to load a malicious DLL from the TeamViewer directory instead of the legitimate Windows DLL in a system folder, and to run a legitimate TeamViewer application to connect to compromised machines. This reflects DLL hijacking / sideloading and abuse of legitimate remote desktop software for access to victim systems. The content also notes that Golden Chickens malware-as-a-service has been used by groups including Evilnum. Known aliases and related names directly mentioned in the content: Evilnum / EVILNUM; predecessor group to WaterHydra / DarkCasino.