Wave Systems Corp. (fka WAVXQ)

[Genz2]

How hackers are updating the EVILNUM malware to target the global financial sector

https://www.cyberscoop.com/evilnum-financial-malware-prevailion/

Hackers behind a series of targeted financial attacks have been updating their malware to better evade detection over the last year, according to new Prevailion research slated to be published Wednesday.

Since at least February 2019, the hackers, who have begun impersonating CEOs and banks in their lure documents, have introduced at least seven updates to the malicious software known as EVILNUM, which enables attackers to upload and download files, harvest tracking cookies, and run arbitrary commands.

While internet scammers frequently masquerade as corporate executives to tempt victims into clicking on malware, attackers behind EVILNUM are rapidly working to make their tools more obscure. The unknown attackers began rolling out the newest version of the EVILNUM malware three days ago. By press time, the hacking tool only was detected by eight of the 59 vendors on VirusTotal, a malware-sharing repository indicating many common software security vendors are not capable of protecting against this group’s techniques.

The prior version of EVILNUM, number 3.6, only was detected by six of the vendors on VirusTotal. Details about the latest hacking tool were shared exclusively with CyberScoop prior to their publication.

“It shows there’s an ongoing evolution of this kit,” said Danny Adamitis, director of intelligence analysis at Prevailion. “I believe this is one of the more advanced financial crime actors that we’ve seen.”

While EVILNUM has been used in conjunction with a remote access trojan (RAT), called Cardinal RAT, in campaigns against financial technology targets primarily located in Israel, according to Palo Alto Networks, it is not clear that EVILNUM has a specific geographic focus, Adamitis said.

In perhaps the most notable indication that attackers are updating their strategies based on their surroundings, version 3.6 was specifically updated so it could bypass two popular antivirus tools from BitDefender and Avast. A previous version of EVILNUM accounted for BitDefender, but not Avast, according to Prevailion.

Attackers also have been using a registry key that changes location based on the antivirus product victim machines are using so the malware can maintain persistence even when targets reboot their computers.

Within the past year, Prevailion also has observed that hackers have built in an elaborate obfuscation technique that functions as a kind of “dead drop” for infected machines to communicate back with the attacker-controlled server. To create this kind of one-way communication, EVILNUM hackers have begun using remote web pages through GitLab and Digital Point, a web forum, to serve as the “dead drop” sites.

These web pages identify the command-and-control server node, an additional step in communications that could make attribution and detection more difficult, according to Adamitis.

The lures

Victims targeted by version 3.6 received a link to a URL hosted on Google Drive, where they were presented with a zip file, meant to compress large files or several files. When victims click through, they download attacker-manipulated documents with information on real financial figures that could presumably be setting up an account with financial services organizations.

So far, the documents have impersonated a small circle of individuals including the CEO of a bank in a British territory, an investment company in England, a financial executive in Canada, and an individual from Finland working for a managed cloud services provider.

“Given the nature of these lures, Prevailion suspects with moderate confidence these efforts were targeted towards select financial institutions rather than wide-scale spamming,” the researchers note.

Although it is unclear exactly what the hackers’ ultimate goals are, Adamitis suspects there is a second stage of the attack.

Once unzipped, the malware is capable of bringing files from the attacker-controlled server, converting strings of data into bytes, and receiving binary data, which could indicate there’s a second stage payload or malicious file to this attack that isn’t visible — yet.

“We saw a number of functions that just make me believe that there’s more to this,” Adamitis told CyberScoop. “It made me believe this wasn’t the end all be all, that it was just to get the lay of the land.”
==================================================================
https://www.wavesys.com/malware-protection

Software can’t always detect malware

The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.

Wave’s solution: start with the device

If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor

Detect attacks before it’s too late

Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.

Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
=================================================================
For more information on Wave's other outstanding solutions, please see the link below:

https://www.wavesys.com/