The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Cybereason: Evilnum is spreading a new RAT: PyVil. The malware, written in Python, has different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools in order to steal credentials
The cyber security experts: Cybercrime gang exploits also a new infrastructure
Moreover, in previous campaigns of the group, Evilnum’s tools avoided using domains in communications with the C2, only using IP addresses. In recent weeks, cyber security experts encountered an interesting trend with the cybercrime gang’s growing infrastructure. By tracking Evilnum’s new infrastructure that the group has built recently, a trend of expansion can be seen. While the C2 IP address changes every few weeks, the list of domains associated with this IP address keeps growing. A few weeks ago, three domains associated with the malware were resolved to the same IP address. Shortly thereafter, the C2 IP address of all three domains changed. In addition, three new domains were registered with the same IP address and were used by the malware. A few weeks later, this change occurred again. The resolution address of all domains changed in the span of a few days, with the addition of three new domains.