Severity
High
Analysis Summary
APT group Evilnum aka Jointworm has been seen targeting the financial sector with malicious emails. The group first seen in 2018 with the motivation of information theft and espionage has been active recently in an attempt to rob users of their credentials and gaining sensitive information for their gain. The group has primarily targeted fintech organizations based in Israel. These attacks have a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.
Impact
- Information theft and espionage
- Exposure of sensitive data
Indicators of Compromise
Filename
- ComplaintCaseNR_D5B3556A[.]zip
MD5
- b08189f8caa0d3205466ae16c1900bab
SHA-256
- 647b512c608b62027fb07258b7bab9e8397c45190d571bfa55c19cd2037fab6e
SHA1
- b16a3a534055c7573103565d5e98e9e4003a4255
URL
- hxxp[:]//applecloudnz[.]com/administrator/index[.]php
- hxxp[:]//applecloudnz[.]com
- hxxp[:]//oauth-azure[.]com
- hxxp[:]//oautho[.]com
- hxxp[:]//orbiz[.]me
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Search for IOCs in your environment