Skip to content

G0120 Evilnum

Evilnum is a financially motivated threat group that has been active since at least 2018.1

Item Value
ID G0120
Associated Names
Version 1.0
Created 22 January 2021
Last Modified 27 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Evilnum has used PowerShell to bypass UAC.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.007 JavaScript Evilnum has used malicious JavaScript files on the victim’s machine.1
enterprise T1555 Credentials from Password Stores Evilnum can collect email credentials from victims.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Evilnum has deleted files used during infection.1
enterprise T1105 Ingress Tool Transfer Evilnum can deploy additional components or tools as needed.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.1
enterprise T1219 Remote Access Software EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines.1
enterprise T1539 Steal Web Session Cookie Evilnum can steal cookies and session information from browsers.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. 1

Software

ID Name References Techniques
S0568 EVILNUM 2 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Exfiltration Over C2 Channel Indicator Removal Timestomp:Indicator Removal Ingress Tool Transfer Modify Registry Security Software Discovery:Software Discovery Steal Web Session Cookie Regsvr32:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery One-Way Communication:Web Service Windows Management Instrumentation
S0349 LaZagne 1 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0284 More_eggs 1 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Regsvr32:System Binary Proxy Execution System Information Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Owner/User Discovery

References

  1. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  2. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.