Over the course of the last few months, the Cybereason Nocturnus team has been investigating the activity of the Evilnum group, first emerged in 2018. The group’s operations appear to be highly targeted, as opposed to a widespread phishing operation, targeting financial technology companies mostly located in the UK and other EU countries.
In recent weeks, new activity by the group includes several notable changes from tactics observed previously, including a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) that Nocturnus dubbed PyVil RAT.
Consider social engineering awareness and training, which are key in preventing such attacks.
Change all passwords related to affected services, both browser- based and local applications.
Harden remote access interfaces (RDP, SSH).
We highly recommend every customer enable the following features: