MITRE ATT&CK - Преступная группа Evilnum

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Evilnum

Evilnum is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)

ID: G0120

Associated Groups:

Version: 1.0

Created: 22 Jan 2021

Last Modified: 27 Apr 2021

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	Evilnum has used PowerShell to bypass UAC.(Citation: ESET EvilNum July 2020)
Enterprise	T1059	.007	Command and Scripting Interpreter: JavaScript	Evilnum has used malicious JavaScript files on the victim's machine.(Citation: ESET EvilNum July 2020)
Enterprise	T1574	.001	Hijack Execution Flow: DLL Search Order Hijacking	Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.(Citation: ESET EvilNum July 2020)
Enterprise	T1070	.004	Indicator Removal: File Deletion	Evilnum has deleted files used during infection.(Citation: ESET EvilNum July 2020)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.(Citation: ESET EvilNum July 2020)
Enterprise	T1204	.001	User Execution: Malicious Link	Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.(Citation: ESET EvilNum July 2020)
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. (Citation: ESET EvilNum July 2020)

ID	Name	References	Techniques
Software
S0568	EVILNUM	(Citation: ESET EvilNum July 2020) (Citation: Prevailion EvilNum May 2020)	One-Way Communication, Registry Run Keys / Startup Folder, Indicator Removal, System Information Discovery, Exfiltration Over C2 Channel, Steal Web Session Cookie, Timestomp, Modify Registry, Ingress Tool Transfer, System Owner/User Discovery, Rundll32, Security Software Discovery, Regsvr32, Windows Management Instrumentation
S0349	LaZagne	(Citation: ESET EvilNum July 2020) (Citation: GitHub LaZagne Dec 2018)	Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0284	More_eggs	(Citation: Crowdstrike GTR2020 Mar 2020) (Citation: ESET EvilNum July 2020) (Citation: Security Intelligence More Eggs Aug 2019) (Citation: SKID) (Citation: SpicyOmelette) (Citation: Talos Cobalt Group July 2018) (Citation: Terra Loader) (Citation: Visa FIN6 Feb 2019)	Ingress Tool Transfer, Internet Connection Discovery, Deobfuscate/Decode Files or Information, System Information Discovery, Web Protocols, Symmetric Cryptography, Windows Command Shell, Obfuscated Files or Information, File Deletion, System Network Configuration Discovery, Standard Encoding, Security Software Discovery, Code Signing, Regsvr32, System Owner/User Discovery

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Evilnum

Associated Group Descriptions

Techniques Used

Software

References