APT Group Targeting FinTech Sector Changes Method of Attack

APT Group Targeting FinTech Sector Changes Method of Attack

  • APT group Evilnum, known for its targeting of financial technology companies via fake know your customer (KYC) documents, has undergone a significant change in tactics and armory recently that the FinTech sector must be made aware of…
  • Instead of delivering four different LNK files in a zip archive that will be replaced by a JPG file, only one LNK is archived, which masquerades as a PDF containing several documents such as utility bills and credit card photos.
  • When the LNK file is executed, a JavaScript file is written to disk and executed, replacing the LNK file with a PDF.
  • This version of the JavaScript is the first stage of the infection chain, which leads to the delivery of a new Python Rat developed by Evilnum, which has been dubbed PyVil RAT.

– James Coker | September 4, 2020