<— Back

More evil: A deep look at Evilnum and its toolset

10:00 – 10:30(SGT) Friday 4 December, 2020

Evilnum is a cybercrime group that has been operating for at least two years, targeting financial technology companies. Even though part of its malware arsenal has been analyzed before, little has been said about the group itself and how it operates. We have been tracking Evilnum in 2020 and found that its infrastructure has grown, and its attacks have evolved to include a mix of homemade malware and purchased tools. Following our initial publication exposing Evilnum in July 2020 the group reacted, introducing further undocumented malware to its attacks.

In our presentation we describe the infrastructure used for Evilnum operations which consists of several different servers: one for each of its various backdoors, another one for storing its tools and exfiltrated data, a proxy server, and so on. We dive into the implementation details of the malware developed by the group: a JavaScript and a C# malware component, which are independent and provide redundancy and extra persistence in compromised computers. We also analyze tools that the group purchased from the Golden Chickens, a Malware-as-a-Service provider known to have infamous customers such as FIN6 and Cobalt Group. We describe the attack chain including the spearphishing attacks that take advantage of Know Your Customer regulations, which require that financial institutions verify the identity of their customers. We present the victimology based on our telemetry data, which shows that Evilnum has very specific and not numerous targets. We close the presentation with the events that followed the publication of our initial report, including not only the changes introduced by the malware operators, but also the work of law enforcement with seized servers.

Matias Porolli


Born and raised in Argentina, Matias is a Malware Researcher on the ESET Threat Intelligence team in Canada. He divides his time between hunting for new threats and reverse engineering them. Before moving to Canada, he worked for ESET in their Buenos Aires office, with a focus on the analysis of Brazilian banking trojans. His interests include studying exploitation in the Windows environment, “crackmes”, CTFs and C programming.

Sponsors and Supporting Organizations

Diamond Sponsors

Platinum Sponsor

Networking Lounge Sponsor

Supporting Organization

Associate Sponsors