EvilCorp arrives to Mexico

By José Zorrilla Metebase Q’s Ocelot Team


Figure 1. Maksim Yakubets, leader of Evil Corp, wanted by the FBI since the end of 2019

Metabase Q’s offensive security team, Ocelot, discovered multiple malicious campaigns from the criminal group, EvilCorp. Since April 2021, they have been compromising Mexican websites and then using them to distribute their preferred malware: Dridex, which has successfully stolen bank information from its victims since 2014.

At the end of 2019, the Department of Justice of the United States, offered $5 million dollars to capture one of Evil Corp.’s Russian founders: Maksim Yakubets, who has been a critical piece of the organization since 2009. He has been recruiting hackers to join their ranks, laundering more than $100 million dollars collected from their victims, mainly from USA and Europe, and transferring the funds to their members, who are primarily located in Russia and Ukraine. This group is credited with creating the Dridex malware, which is usually deployed via e-mail using malicious Microsoft Office macros.

To create greater awareness around these types of attacks in the region, Metabase Q and it is Offensive Security Team, Ocelot decided to publish the details of these campaigns in Mexico. We are focusing on three campaigns that started in April 2021. They all have the download of different malicious payloads from the compromised website of a Congresswoman.

About the 3 campaigns

  1. April 2021: – Dridex E-mail Attacks: Dridex is distributed via e-mail. It is downloaded from a deputy’s website and allowing it to attack different parts of the world, not Mexico.
  2. August 2021– SMS Phishing: Launch of SMS campaign, which pretends to be Financial Institution and redirects victims to a fake site to steal banking card data.
  3. Active until October 2021 – Fake Firefox Update: The cybercriminal group uses the malicious framework known as SocGolish to trick the victim into visiting the deputy’s website asking for the Firefox browser to be updated. Said framework supports Chrome, Internet Explorer and Flash, among others. Previously, the evidence was not enough to affirm that the group behind SocGolish was part of Evil Corp, but, in this campaign, we can see that they are delivering their variants from the same compromised server; hence, they either worked together or are the same criminal group.

It is important to highlight the tropicalization of the notification by SocGolish, when creating the Fake Update in Spanish. Figure 2 shows the classic message in English, and on the right side, Figure 3, the one adjusted to Spanish:

Figure 2 Fake update English version
Figure 3. Fake update Spanish version

SocGolish uses legitimate NetSupport Manager remote monitoring software to take control of their victim’s computer. This technique is not new, it was seen in 2018 by Fireye, in 2019 by Malwarebytes, and, at the beginning of 2020, it was published by Unit 42 PANW.

How do attackers choose which websites to compromise?

The malicious group commonly looks for sites with little protection and with outdated frameworks such as WordPress because those are easy to compromise. It is essential to understand that these sites have a high traffic volume, attracting more potential victims. Following this criterion, the attackers would have used the National Electoral Institute (INE, for its acronym in Spanish) database of Mexican gubernatorial candidates, where attackers can identify victims with high levels of social contact. Furthermore, they can see the e-mail and personal websites used by candidates

Figure 4. INE Candidates database

NOTE: It is essential to clarify that this data is publicly available on the website of the INE in  https://candidaturas.ine.mx/ it is not leaked information. Therefore, the information helps attackers find potential victims.

Suspended website

Around the third week of October, we noticed that the compromised website contained an advertisement, apparently from the attackers (not confirmed), stating that it had been suspended due to the lack of payment (see Figure 5). A few days later, that message was replaced by an “account suspended” notification, directly published by the hosting provider Hetzner located in Germany.

Figure 5. Site with attackers’ announcement

Below is a quick view of the infection phases in the different campaigns:

Ransomware could be used by EvilCorp in Mexico very soon

Evil Corp has been active for more than 11 years, and, despite the announcement of the reward published by the US Department of Justice to catch them, the group remains highly active. According to Wikipedia, the lack of apparent impact is most likely due to Marksim’s close connection with the Federal Secret Service (formerly KGB) through his father-in-law, Eduard Bendersky, providing him with protection. In conclusion, it is unlikely they will disappear in the near term.

What’s worrying is that this group is very successful in compromising companies worldwide with ransomware. For example, one of the most notorious was the attack on Garmin where they used WastedLocker and charged $10 million dollars.

How can we combat this trend?

First, we must accept that any organization will be infected with ransomware unless they proactively carry out detection and eradication strategies. The initial step is to strengthen their processes, people and technology, and evaluate their systems against a ransomware attack. Moreover, it is required to evaluate and test the systems in the face of a ransomware attack. Metabase Q offers the Ransomware-as-a-service (RaaS) solution through our Advanced Persistent Threat (APT) simulation. We replicate multiple ransomware families like Ryuk, REvil, DarkSide, among others, on your network.

With this simulation, organizations can strengthen their monitoring, detection, and eradication capabilities of ransomware:

  • Processes: Detection of gaps and strengthening of policies and procedures established to react to an incident.
  • People: Training your Security Operation Center (SOC) staff in Incident Response.
  • Technology: Identify gaps in your security solutions: SMTP Gateway, Endpoint,Lateral Movement, Event Correlation, Malicious Callbacks, etc. Ask yourself, “Is my investment giving me the expected results?”

By reverse engineering today’s malware, we can reproduce malicious code exactly as real attackers run it. However, unlike RaaS run by attackers, Metabase Q has the control to run ransomware without the potential side effects or irreversible damage, such as deleting backups or posting sensitive information to the Deep Web. Using TTPs (Tactics, Techniques and Procedures) and IOCs (Indicators of Compromise) used by malware in the real world, we can train and strengthen your processes, people, and technology.

Watch video here

Figure 7. RaaS Demo.

Technical Analysis of the Campaigns

The highly technical details of each of the identified campaigns are explained below, focusing on the ones that directly attacked Mexican citizens. The intention of this research is to share Techniques and Tactics as well as Indicators of Compromise that allow organizations to implement preventive and corrective controls. We should remember that cybersecurity is an investment and, overall, an insurance for worldwide organizations’ reputation, information and finances.

E-mail infection- Not focused in Mexico

Detected in April 2021, this campaign was the first of the ones by this malicious group that was identified. What caught our attention was the fact that they are using a website to distribute malware belonging to a congresswoman.

The attackers sent malicious e-mails that contained the malware that connects back to the Congresswoman’s webpage to download the next stage malware, confirming that her website had been compromised. In Table 1, you can see 3 employed Excel documents, which were sent from an IP in India to recipients who speak English, pretending to deceive them, making them believe there was an error in a purchase order. The language confirms that the target was not Mexico in this campaign. In Figure 8, you can see one of the e-mails sent.

Figure 8. Malicious e-mail sent
Table 1. Xlsm files detected as part of the infection campaign

These types of attacks usually have documents with content that make you believe that you need to enable editing to see the file, hence using social engineering to allow the macro contained in the file to be activated and, thus, achieve its objective. These types of files are known as maldocs. In this campaign, when opening the document, the victim would see the content shown in Figure 9.

Figure 9. Image that is used to deceive users

The question is, what do these files do? And how do they work? The main objective of this type of document is to download the malware or malicious file; how it does so depend on the attacker. It is important to note that this file contains several values in different sheets and cells, which tend to be used by macros to rebuild variables or method names that the macro will use. Below, in Table 2, we will see the list of the most relevant strings that we can find in different parts of the document, as well as showing other potentially compromised websites.

Table 2. Found values in the maldocs cell

It is time to analyze how the malicious macro of the file works. The first thing we can notice is that these files have several modules. In this case, there are 8 modules plus the ThisWorkbook file, which is usually the entry point for executing a macro, as shown in Figure 10.

Figure 10. Modules and elements of the maldocs.

The modules in this document are obfuscated, doubling, or even tripling the lines of code, with the aim of making it more complicated to read.

We found a pattern of declaration of unused variables, 3-line cycles and use of functions such as Cos (), Atn (), MonthName (), Year (), IsDate () among other techniques that have not been seen before. We will see in the ThisWorkbook file only the call to the method of one of the modules, which bears the responsibility of using the rest of them to reconstruct strings and carry out the malware request. The most important part of this macro is in the module  NyG_KoRXVvPU_zwKebxtmcX_PloLM (see Figure 11), which when cleaning the code makes clear the intention of the campaign, which is to download a dynamic link library (DLL) and run it on the victim’s system via rundll32.exe.

Figure 11. NyG_KoRXVvPU_zwKebxtmcX_PloLM module code.

The Dridex DLL (fe946eb6810820fa7f60d832e6364a64) was downloaded from the following URL for the first time on 2021-04-19 from:


DLL analysis is beyond the scope of this blog as it is a campaign outside of Mexico, but it is related to Trojan Dridex banking. This is very similar to the variant analyzed by VMWare.

Other Dridex campaigns in Latin America

In the same hosting provider of the Deputy, and even with the same IP, another apparently Mexican website was identified: misaludsana[.]com, which was also compromised to infect with Dridex, where the malicious DLL has the name i1ojz1l.rar:

I1ojz1l.rar – 68672d1ed6c979158b159fd9945934c6

Looking for this same DLL in other sites, it was identified that it was also downloaded from countries such as Brazil, Chile, and Peru, although it was not confirmed if it was Evil Corp who was behind, the evidence suggests so:

Scanned           URL

2021-09-28         https://megagynreformas[.]com[.]br/i1ojz1l[.]rar

2021-09-10         http://megagynreformas[.]com[.]br/i1ojz1l[.]rar

2021-04-10         http://vilaart[.]rs/z8xytt[.]rar

2021-04-08         https://www[.]huellacero[.]cl/wkuhfw0[.]rar

2021-04-02         https://vilaart[.]rs/z8xytt[.]rar

2021-04-04         http://lp[.]quama[.]pe/qxaqigqwy[.]rar

2021-04-02         https://versualstudio[.]com/d738jam[.]rar

2021-04-02         http://www[.]beor360[.]com/olwimf8i0[.]rar

2021-05-11         http://opentoronto[.]org/olu9usk68[.]rar

2021-04-02         http://versualstudio[.]com/d738jam[.]rar

2021-04-01         https://gmsebpl[.]com/tp2xvzwe[.]rar

2021-04-02         http://www[.]huellacero[.]cl/wkuhfw0[.]rar

Infection by text message

Around August 2021, a new campaign by the criminal group was identified. This time, the campaign focused on Mexico. The attackers send text messages with a malicious link as shown in Figure 12

Figure 12. Example of SMS sent to the victim

As we can see, the message’s goal is to make the victim believe that their account has been blocked and that solving the problem would require entering to the URL https://is[.]gd/gW2d6B?ww[.]Citibanamex[.]com. It uses the URL shortening service “is[.]gd” which redirects the victim to the Congresswoman’s compromised website. The link contains the name of the Mexican bank trying to impersonate it.

By consulting the site Listaspam (www[.]Listspam[.]com) with the phone number the SMS came from, complaints from possible victims can be identified since around August, where the deception message coincides when trying to impersonate Citibanamex. Most importantly, the victims are redirected to a fake banking website to try to steal their bank card details (See Figure 13).

Figure 13. Complaints about the SMS sent from telephone number: 5623190460

Different links used by criminals were identified as shown in Table 3, for the Phishing attack.

Table 3. Detected URLs as bait to redirect to the phishing site

Infection by fake Firefox update

For this campaign, the Deputy’s website was still compromised and used for the distribution of national and international malware. In this case, when someone visited the congresswoman’s web page, the attackers validated the use of the Firefox browser running on Windows OS, If so, they tricked people into believing that they needed to update their browser to see the website’s content. Using a “legitimate” page for infection was very effective in deceiving and achieving the malicious act, known as “watering hole” attack. See Figure 14.

Figure 14. Fake Firefox update

Attackers validate the different stages from the affected IP, so if a researcher tries to download, let’s say stage 3, without first having connected, they will be rejected.

Stage 1:

The website requests the download of a ZIP-type compressed file, which inside contains a file called Firefox.js.

Figure 15. Contents of the compressed file.

The Javascript file contains malicious code with a total of 6 functions, where most of them are used to clean strings that are inside the file or that are downloaded through a request. The name of the function varies between instances, but the functionality is the same. Next, we will describe how the script works.

The first thing we will see is a section of code (see Figure 16) which is designed to delay the execution (trying to circumvent detection mechanisms), in other words, it delays the execution of the script for one second as many times as it enters the cycle. Hence, the total number of entries will be 11 cycles, so there will be a delay of 11 seconds.

Figure 16. First part of the code of the Firefox.js file

Later, what the gyyc function does (See Figure 17) is taking the character of the string that is in an odd position of it and add it to the beginning, which means that it inverts the order of the string and concatenates only the odd ones. If our original string were a total of 12 characters, the clean string would be made up of the following way [11,9,7,5,3,1].

Figure 17. Function gy and c

With this logic, we were able to decode the address that the malware will use to download the next stage as shown in Table 4, along with other variables decoded.

Table 4. Values of the script variables.

Now, the important function of this infection: sendRequest, it is the only one that preserves its name through the variants, and it relies on different functions which helps it to encrypt and decrypt the necessary information for the execution of the script. From lines 4 to 6 in Figure 18, we see a “for” loo[ which is responsible for creating a string iterating over the array received in the first parameter and making the following pattern for each element [(i) ‘=’ ( array [i]) ‘&’], ending up in the following form “0 = a & 1 = 500 & 2 =250&“.

Figure 18. Function code sendRequest.

Then in line 8 it passes this string through the function pypdsygqoge7 (see Figure 19) which, in summary, does an encryption through an XOR of the string with a key that comes in the function. In this case with the value 128, to finally send it to the remote server whose URL is the variable tujnpuwidep described in Table 4:


Figure 19. Script encryption functions.

Then the script sends the request via POST to the server and on line 15 the response is saved in a variable, which is a string in hexadecimal that on line 17 is passed by the function imgado (see Figure 20) that decrypts the string, using the first byte as a key and XORing the rest of the text and converting it to its corresponding ASCII character.

Figure 20. Function that decrypts the received hexadecimal string

Finally, the payload that is received is passed to the function egdjuco (line 22), which takes the string and executes it through the property eval, as shown in Figure 21, allowing us to deobfuscate the next stage 2, which is described in the next section.

Figure 21. Function eval
Stage 2: Recognition of the infected computer

The first phase consists of a Javascript code (see Figure 22) which has the function of collecting the information of the equipment via WMI (Windows Management Instrumentation) such as the name and domain of the user, the manufacturer, model, and version of the equipment, among other data that allows attackers to verify if it is indeed a victim’s computer and not a sandbox or a security analyst’s machine.

Figure 22. Recon code.

As expected, when we connected from our virtual machine, we did not receive any payload, so we modified the code to send “real” data such as the name of the machine, the user, or the domain to which it belongs and voilà! we received the next payload corresponding to stage 3.

Stage 3: Downloading and executing powershell

Once the information from the victim’s machine has been sent, the response received from the attackers is a new Javascript code (see Figure 23) which aims to download, storage and execute a powershell script.

Figure 23. Javascript code that downloads and executes powershell

The file downloaded is saved in the following path C: \% USERNAME% \ AppData \ Local \ Temp \ f9da4ac2.ps1, The content of this script is extensive as it contains a fairly long string in Base64. This code has a bit of obfuscation so we will focus on the function ELLINNKHZI. The string that is in Base64 is decoded and then the two received parameters are used to construct a password which will be used as a key for the algorithm TDES in its CBC mode, which decrypts the string in memory for later execution as shown in Figure 24. Next the encryption parameters:

Llave: 106 38 173 207 239 40 14 84 81 63 247 32 83 120 119 64
IV: 71 71 69 71 75 78 84 75 80 86 85 77 90 65 75 73
Figure 24. Result execution of the ELLINNKHZI function

The result of this execution gives us the final stage, which is an installer of a remote monitoring tool as shown next.

Stage 4: NetSupport Manager installation for remote control

This stage is another powershell script that executes the function Install, which creates a folder in the %AppData% directory with a random name, decodes a very long string of Base64, which turns out to be the entire legitimate suite of the NetSupport Manager remote management software – https://www.netsupportmanager.com/ (see Figure 25) but compressed in PKZIP format. This is expanded in the same folder; the client of this software is renamed from client32.exe to ctfmon.exe to pretend to impersonate an internal Windows process.

Figure 25. Function that installs and executes the remote administration suite

The last lines allow malware persistence to continue running after computer reboots, by addingctfmon.exe to:


Remote control of the victim

In Figure 26, all the files extracted from the ZIP are shown, which belongs to the NetSupport Manager suite. The interesting thing is in the client configuration.

Figura 26. Content zip file

If we see the digital signature in Figure 27, the files are signed by certification authorities such as Symantec and Verisign, hence, endorsing that it is legitimate software.

Figura 27. Files digital signature

What is dangerous about this legitimate software? It can be used to control the victim remotely without their consent.

From the official documentation of the NetSupport Manager software we can find that the client32.ini file contains the client configurations and the NSM.LIC file that contains the software license can be found. These two files provide us with important data about the attacker.


This file stores the client’s configurations, where it will connect, its functions, the view and protocol configurations. In this case, we will only talk about the settings that make this mode a serious security problem. There are properties that are designed to hide from the user that they are being watched, such as “HidenWhenIdle” and “silent”, causing the victim to be unaware that the software is running.

Figure 28. client32.ini file

The most important configuration is where the client will connect to, in this case the attackers use a Gateway that serves as a bridge between the controller and the client, avoiding exposing the IP of the machine where the attackers are connecting to monitor. Here, it has two Gateways configured, the main one and the secondary one:



The danger of having this service running on our computers is that the controller has full access to our equipment. They can see, listen, restart, transfer files and even execute commands without the victim noticing.

Figure 29. Driver options on a client

We have prepared two videos showing the legitimate use of NetSupport Manager where you can see when the software is installed, as well as the ability to disconnect, and the icon at the bottom right of the software running:

Watch video here

On the other hand, in the following video, with the attacker’s configuration, the victim is not aware of any of the attacker’s actions, such as: being observed on the screen, the theft of files or their incorporation, as well as the use of a console with which they can run processes, plus there is no icon shown, no interface, nothing:

Watch video here

Indicators of Compromise

binary Name / MD5 / Path Disc:

Name Binary MD5 Route Disk
Firefox.js 20101d5ccebaa05617400c56c36541de C:\%USERNAME%\Downloads\
ctfmon.exe 252dce576f9fbb9aaa7114dd7150f320 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
client32.ini ca9756fe7165091706d61553ce4632e4 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
HTCTL32.DLL 2d3b207c8a48148296156e5725426c7f C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
msvcr100.dll 0e37fbfa79d349d672456923ec5fbbe3 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
nskbfltr.inf 26e28c01001f7e65c402bdf09923d435 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
NSM.ini 88b1dab8f4fd1ae879685995c90bd902 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
NSM.lic 7067af414215ee4c50bfcd3ea43c84f0 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
pcicapi.dll dcde2248d19c778a41aa165866dd52d0 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
PCICHEK.DLL a0b9388c5f18e27266a31f8c5765b263 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
PCICL32.DLL 00587100d16012152c2e951a087f2cc9 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
remcmdstub.exe 2a77875b08d4d2bb7b654db33a88f16c C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
TCCTL32.DLL eab603d12705752e3d268d86dff74ed4 C:\%USERNAME%\AppData\Roaming\q0EkBnhA\
ANSI32.DLL(Dridex) fe946eb6810820fa7f60d832e6364a64
I1ojz1l.rar (Dridex) 68672d1ed6c979158b159fd9945934c6
Registry keys:





Possible malicious DLL download sites:
































Site of download of Fake Update: Firefox.js


URLs of remote connection of Firefox.js, 3 different examples




Gateways ofconnection used by NetSupport Manager



Others which the group probably compromised in Mexico (not confirmed)

Additionallyto the deputy’s website and, possibly some Mexican banks, and otherinstitutions could have been affected.









Protection recommendations

Best practices for individuals

Best practices for financial entities

  • Stay up to date. Make sure computers, mobile devices and applications are updated with the latest patches and patches available.
  • Stay secure. Validate that your computer and mobile devices are protected against viruses (malware), and that the configuration of the Operating System and applications is secure.
  • Stay informed. Ensure your financial services notify you of charges and transactions and keep track of expenses and changes made in the banking service.
  • If it’s suspicious, it’s dangerous. Be alert to the arrival of unsolicited content, as well as abnormal events in the personal and/or business context. Cybercriminals continuously alternate the communication channel and/or medium to scam their victims into delivering sensitive information.
    • Phone calls
    • Text messages (SMS)
    • Emails
    • Internet browsing
  • Verify before acting. In case of a potential case of account compromise, stay calm and validate movements directly with the source of the financial service available to you.
    • Last recognized charge
    • Last successful access
  • Additional protection. Most financial institutions have additional protection tools available for download. We recommend the use of these tools, considering, however, that they are not a substitute for traditional antivirus.
  • Do not store information. Nowadays, it is common to see Excel, Word, Notepad files in computers with prominent names such as: “Banking passwords”, “Electronic banking accesses”, etc. This makes it easy for attackers to search for sensitive information, if you cannot memorize this data, do not keep them in sight and use other names to save this information.
  • Control of your PC. If you notice that you no longer have control of your computer, such as: open and close files, turn it off or restart it, change programs or switch between tasks, someone else is likely controlling your computer. Do not enter sensitive information if you believe this may be the case.
  • Use only one computer. Always use a single computer to access your banking services. Do not access your accounts from computers that you do not know or that are used by several people since they could have downloaded or installed malware without realizing it.
  • Public networks. If you are going to access your banking portal, do it from a reliable network. Do not use public wireless networks without a password for this purpose, as this may compromise your information.
  • Continuous and timely communication. Maintain agnostic and continuous awareness of threats to information security, digital hygiene, and mechanisms for validations of charges.
  • Risk in the context of fraud prevention. Consider monitoring and tracking risk events representing business rules, identity, and user trust in each banking channel.
  • 360º visibility of risks. Profile the risks in user activities considering the activities they perform in all the channels with which they interact.
  • Fraud changes and evolution. Evaluate the need to learn from the user activities and the context of the channel, product and/or service, vs. time-based learning. Consider capabilities in engines that facilitate fraud recognition, using supervised and unsupervised learning.
  • Base protection of channels and digital banking. Standardize the detection and respond against intrusions directed to the applications, infrastructure and/or the network of the banking channels.
  • Secure transactions from end-to-end. Identify and monitor transactions in an integral manner, covering from the client’s request, the execution and status of those internal processes to respond to client needs, to the outcome of the resulting transaction. This will significantly facilitate the identification and response to attacks that occur within the infrastructure of the banking channels and/or through abuse of internal processes.
  • Integral Cybersecurity and Fraud Prevention Strategy. Take advantage of business, cybersecurity, and fraud prevention variables to plan and improve protection cases for banking channels.