S0568 EVILNUM
EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.12
| Item | Value |
|---|---|
| ID | S0568 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 28 January 2021 |
| Last Modified | 19 January 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | EVILNUM can achieve persistence through the Registry Run key.12 |
| enterprise | T1041 | Exfiltration Over C2 Channel | EVILNUM can upload files over the C2 channel from the infected host.2 |
| enterprise | T1070 | Indicator Removal | EVILNUM has a function called “DeleteLeftovers” to remove certain artifacts of the attack.2 |
| enterprise | T1070.006 | Timestomp | EVILNUM has changed the creation date of files.2 |
| enterprise | T1105 | Ingress Tool Transfer | EVILNUM can download and upload files to the victim’s computer.12 |
| enterprise | T1112 | Modify Registry | EVILNUM can make modifications to the Regsitry for persistence.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | EVILNUM can search for anti-virus products on the system.2 |
| enterprise | T1539 | Steal Web Session Cookie | EVILNUM can harvest cookies and upload them to the C2 server.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.1 |
| enterprise | T1218.011 | Rundll32 | EVILNUM can execute commands and scripts through rundll32.2 |
| enterprise | T1082 | System Information Discovery | EVILNUM can obtain the computer name from the victim’s system.2 |
| enterprise | T1033 | System Owner/User Discovery | EVILNUM can obtain the username from the victim’s machine.2 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.003 | One-Way Communication | EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.2 |
| enterprise | T1047 | Windows Management Instrumentation | EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0120 | Evilnum | 2 |