"Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant"
As part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe, a hack-for-hire group called Evilnum has targeted travel agencies. The attacks, which occurred in 2020 and 2021 and most likely began in 2015, used a reworked variant of a malware called Janicab. This malware uses public services such as WordPress and YouTube as dead drop resolvers. Janicab infections have affected people in Egypt, Georgia, Saudi Arabia, the United Arab Emirates, and the United Kingdom. However, this is the first time this group has targeted legal organizations in Saudi Arabia. The threat actor, also known as DeathStalker, is known to use backdoors such as Janicab, Evilnum, Powersing, and PowerPepper to steal sensitive corporate information. Their desire to obtain sensitive business information indicates that DeathStalker is a group of mercenaries providing hacking-for-hire services or acting as financial information brokers. According to ESET, the hacking group has a pattern of harvesting internal company presentations, software licenses, email credentials, and documents containing customer lists, investments, and trading operations. Zscaler and Proofpoint discovered new attacks orchestrated by Evilnum earlier this year, directed against companies in the cryptocurrency and financial technology verticals since late 2021. An examination of the DeathStalker intrusions revealed the use of an LNK-based dropper embedded within a ZIP archive for initial access via spear-phishing. The lure attachment claims to be an industrial profile document related to power hydraulics that, when opened, leads to the deployment of the VBScript-based Janicab implant, which can execute commands and deploy additional tools. This article continues to discuss the Evilnum group targeting legal and financial investment institutions in the Middle East and Europe with a new Janicab malware variant.