hack-for-hire group dubbed Evilnum aimed at legal and financial investment institutions in the Middle East and Europe.

As part of a larger campaign aimed at legal and financial investment institutions in Europe and the Middle East, a hack-for-hire group known as Evilnum has targeted travel agencies.

In a technical report released this week, Kaspersky said that the attacks, which took place in 2020 and 2021 but probably began in 2015, involved a reworked version of a malware called Janicab that uses a number of public services like WordPress and YouTube as dead drop resolvers.

The janicab infections have affected a diverse group of people in Egypt, Georgia, Saudi Arabia, the United Arab Emirates, and the United Kingdom. This is the first time this group has targeted legal organizations in Saudi Arabia.

The threat actor, who goes by the alias DeathStalker, is known to use backdoors such as Janicab, Evilnum, Powersing, and PowerPepper to steal sensitive company data.

Kaspersky’s analysis of the DeathStalker intrusions has revealed the use of an LNK-based dropper embedded inside a ZIP archive for initial access by means of a spear-phishing attack.

The lure attachment purports to be an industrial profile document related to power hydraulics that, when opened, leads to the deployment of the VBScript-based Janicab implant, which is capable of command execution and deploying more tools.

Newer versions of the modular malware have simultaneously removed audio recording features and added a keylogger module that shares overlaps with prior Powersing attacks. Other functions include checking for installed antivirus products and getting a list of processes indicating malware analysis.

The 2021 attacks are also notable for employing unlisted old YouTube links that are used to host an encoded string that’s deciphered by Janicab to extract the command-and-control (C2) IP address for retrieving follow-on commands and exfiltrating data.

“Since the threat actor uses unlisted old YouTube links, the likelihood of finding the relevant links on YouTube is almost zero,” the researchers said. “This also effectively allows the threat actor to reuse C2 infrastructure.”

The findings underscore that the threat actor has continued to update its malware toolset to maintain stealthiness over extended periods of time.

Besides application allowlisting and operating system hardening, organizations are recommended to monitor Internet Explorer processes, since the browser is used in hidden mode to communicate with the C2 server.

As legal and financial sectors are a common target for the threat actor, the researchers further theorized that DeathStalker’s customers and operators could be weaponizing the intrusions to keep tabs on lawsuits, blackmail high-profile individuals, track financial assets, and harvest business intelligence about potential mergers and acquisitions.