DeFi platforms targeted by malware group

Decentralized finance exchanges in Europe are being targeted by a threat group using data-stealing malware, according to research published by Proofpoint.

It said the group, which it calls TA4563, was targeting “European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance” using a malicious program known as EvilNum.

Proofpoint added: “EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.”

It had its first sighting of TA4563’s campaign in December. Since then it has evolved, delivering a modified version of the EvilNum backdoor using a combination of ISO, Microsoft Word, and Shortcut (LNK) files to test its efficacy.

“This malware can be used for reconnaissance, data theft, and to deploy additional payloads,” said Proofpoint. “The [threat] actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The activity Proofpoint associates with TA4563 has some overlap with activity publicly associated with a group referred to as DeathStalker and EvilNum.”

It added that there also appeared to be some overlap with other EvilNum activity reported by fellow cybersecurity analyst ZScaler in June, and TA4563 appears to have been continually active since first being spotted at the end of last year.

Screenshot of fake Microsoft Word page used by cybercriminal gang to lure victims.

Traders under attack

Its campaign focused on financial trading platform registration, including the “attempted delivery of Microsoft Word documents responsible for the attempted installation of the updated version of the EvilNum backdoor.”

This consisted of luring victims by telling them they needed to submit proof of ownership of documents, installing a JavaScript payload on the target computer or device when they complied with the fake request.

Over the past six months, TA4563 has been seen to evolve its techniques, tactics, and procedures, for instance switching up from using OneDrive URLs earlier in the year to deliver its payload, to the later scam involving Microsoft Word documents.

“EvilNum malware and the TA4563 group pose a risk to financial organizations,” said Proofpoint. “Malware is under active development. Third-party reporting indicates EvilNum may be leveraged to distribute additional malware, including tools available via the [cybercriminal gang] Golden Chickens.”

It added: “TA4563 has adjusted attempts to compromise victims using various methods of delivery. Whilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts.”

More from Cybernews:

Crypto scammer faces life in prison for $6m fraud

Crypto swindlers net $42.7m with fake apps

Experts call blockchain “technological fraud” | CyberNews

Malicious hackers steal $375k from NFT platform

Cybercrime group claims to have police insiders across Europe

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked