www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities
Submission: On August 02 via api from DE — Scanned from DE
Submission: On August 02 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form><form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_182285_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_0" id="LblmktoCheckbox_182285_0">All</label><input name="blogInterest" id="mktoCheckbox_182285_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_1" id="LblmktoCheckbox_182285_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_182285_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_2" id="LblmktoCheckbox_182285_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_182285_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_3" id="LblmktoCheckbox_182285_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_182285_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_4" id="LblmktoCheckbox_182285_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_182285_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_5" id="LblmktoCheckbox_182285_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_182285_6" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_6" id="LblmktoCheckbox_182285_6">Information Protection</label><input name="blogInterest" id="mktoCheckbox_182285_7" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_7" id="LblmktoCheckbox_182285_7">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_182285_8" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_8" id="LblmktoCheckbox_182285_8">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_182285_9" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_9" id="LblmktoCheckbox_182285_9">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_182285_10" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_10" id="LblmktoCheckbox_182285_10">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_182285_11" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_11" id="LblmktoCheckbox_182285_11">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="10,000+" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="Hesse" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="Financial Services" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="credit-suisse.com" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="24291640000" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="6211" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="523110" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="47860" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="1191949173.1659452464"><input
type="hidden" name="City" class="mktoField mktoFieldDescriptor" value="Frankfurt am Main">
</form><form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against threats, protect your data, and secure access. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. RANSOMWARE HUB Stop ransomware in its tracks with the free research and resources in our Ransomware Hub. Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal Channel Buzz RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More United States United Kingdom France Germany Italy Spain Japan Australia Products Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Assess Change Behavior Evaluate Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Secure Access Overview Automate Capture Patrol Track Archive Discover Supervision Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company United States United Kingdom France Germany Italy Spain Japan Australia Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against threats, protect your data, and secure access. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Assess Change Behavior Evaluate Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Secure Access Overview Automate Capture Patrol Track Archive Discover Supervision Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services RANSOMWARE HUB Stop ransomware in its tracks with the free research and resources in our Ransomware Hub. Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal Channel Buzz RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More Blog Threat Insight Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities BUY, SELL, STEAL, EVILNUM TARGETS CRYPTOCURRENCY, FOREX, COMMODITIES Share with your network! Facebook Twitter LinkedIn Email July 21, 2022 Bryan Campbell, Pim Trouerbach, Selena Larson and the Proofpoint Threat Research Team KEY FINDINGS * TA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). * EvilNum is a backdoor that can be used for data theft or to load additional payloads. * The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software. OVERVIEW Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The activity Proofpoint associates with TA4563 has some overlap with activity publicly associated with a group referred to as DeathStalker and EvilNum. The activity described in this report has some overlap with EvilNum activity publicly reported by Zscaler in June 2022. The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads. CAMPAIGN DETAILS 2021 Proofpoint observed the first campaign in December 2021. The messages purported to be related to financial trading platform registration or related documents. The initial campaign observed included the attempted delivery of Microsoft Word documents responsible for the attempted installation of the updated version of the EvilNum backdoor. These messages used a remote template document that analysts observed attempting to communicate with domains to install several LNK loader components, leveraging wscript to load the EvilNum payload, and a JavaScript payload that was ultimately installed on the user's host. These lures contained a financial theme, suggesting on one occasion that the intended victim needed to submit “proof of ownership of missing documents”. Proofpoint identified the following post-infection related domains: * mailgunltd[.]com * azuredllservices[.]com * officelivecloud[.]com EARLY 2022 The group continued to target financial entities with a variation on the original email campaign, attempting to deliver multiple OneDrive URLs that contained either an ISO or .LNK attachment. In identified campaigns, the actor used financial lures to get the recipient to launch the EvilNum payload. Messages purported to be, for example: From: “Viktoria Helle” <viktoria.helle79@zingamail[.]uk> Subject: Re: Reminder to submit your proof of identity and address Campaigns continued to target specific European financial and investment entities. Subsequent campaigns included the delivery of a compressed .LNK file directly as an additional attempt to install EvilNum. MID 2022 As the threat actor maintained consistent targeting and victimology, the methodology again changed. In mid-2022 campaigns, TA4563 delivered Microsoft Word documents to attempt to download a remote template. Messages purported to be, for example: From: "19steeven " <arfeuille19@gmail[.]com> Subject: Fwd: KOT4X - Proof of ownership (urgent missing document) Attachment: steve kot4x.docx The attached document was responsible for generating traffic to http://outlookfnd[.]com, a likely actor-controlled domain responsible for the EvilNum payload. Figure 1: Attached Word document delivering EvilNum. EVILNUM DETAILS Previous versions of EvilNum publicly reported by security organizations include both a JavaScript component and C# component of the backdoor. Proofpoint did not observe a JavaScript component in recent campaigns and analyzed the C# component observed in multiple recent campaigns. Each campaign is highly fenced; the malware only allows one download per IP address to ensure only the target host can retrieve the final payload. The initial stage LNK loader is responsible for executing PowerShell via cmd.exe, this then downloads two different payloads from the initial host (e.g. infntio[.]com). The first payload is responsible for executing two PowerShell scripts. Figure 2: PowerShell script examples. The first is used to decrypt a PNG and follows logic to restart the infection chain. The second, larger PowerShell script loads C# code dynamically and sends screenshots to a command-and-control server (C2). This C# application then executes another PowerShell command: /c start /min \”\” powershell -inputformat none -outputformat none -windowstyle hidden -c \”&hpfde.exe” –v=[Random] Several applications are executed depending on what antivirus software – either Avast, AVG, or Windows Defender – is found on the host. The malware will try and call multiple executables likely already on the host machine (e.g. TechToolkit.exe and nvapiu.exe). The malware execution chain will change to best evade detection from the identified antivirus engine. Figure 3: Executables called depending on the antivirus engine identified. The second payload contains two encrypted blobs. The first is decrypted to an executable, (e.g. hpfde.exe) and the second to a TMP file (e.g. devXYXY5.tmp). The initial executable reads and decrypts the TMP file to load a 53KB shellcode file resulting in a final decrypted and decompressed PE file. The EvilNum backdoor can be used for reconnaissance and data theft activity and to load follow-on payloads. CONCLUSION EvilNum malware and the TA4563 group poses a risk to financial organizations. Based on Proofpoint analysis, TA4563’s malware is under active development. Although Proofpoint did not observe follow-on payloads deployed in identified campaigns, third-party reporting indicates EvilNum malware may be leveraged to distribute additional malware including tools available via the Golden Chickens malware-as-a-service. TA4563 has adjusted their attempts to compromise the victims using various methods of delivery, whilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts. INDICATORS OF COMPROMISE * 2851693 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules) * 2851694 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules) * 2851695 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules) * 2851696 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules) * 2851697 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules) Indicator Description hxxp://officelivecloud[.]com Payload Domain December 2021 hxxp://mailgunltd[.]com Payload Domain December 2021 hxxp://officelivecloud[.]com Payload Domain December 2021 hxxp://visitaustriaislands[.]com Command and Control Domain May 2022 hxxp://outlookfnd[.]com Command and Control Domain June 2022 hxxp://infntio[.]com/save/user.php Payload URL March 2022 hxxp://advflat[.]com/save/user.php Command and Control URL March 2022 hxxp://pngdoma[.]com/admin/index.php Command and Control URL March 2022 hxxp://goalrom[.]com/admin/settings.php Command and Control URL March 2022 hxxp://elitefocuc[.]com/save/user.php Command and Control URL March 2022 hxxp://hubflash[.]co/configuration.php Command and Control URL April 2022 bookingitnow[.]org Command and Control Domain bookaustriavisit[.]com Command and Control Domain moretraveladv[.]com Command and Control Domain estoniaforall[.]com Command and Control Domain ef1a660ee8b11bbcf681e8934c5f16e4a249ba214d743bbf8b1f8043296b6ffc Word Doc SHA256 June 2022 da642cc233ea3595d8aaf8daf6129c59682b19462d5d5abb1f494042d4c044f4 Word Doc SHA256 Sample June 2022 53ade63ba9938fd97542a0a725d82045f362766f24f0b1f414f4693d9919f631 LNK SHA256 Sample March 2022 f0a002c7d2174f2a022d0dfdb0d83973c1dd96c4db86a2b687d14561ab564daa LNK SHA256 Sample March 2022 53ade63ba9938fd97542a0a725d82045f362766f24f0b1f414f4693d9919f631 Word Doc SHA256 Sample December 2021 649183519d59ea332d687a01c37040b91da69232aadb0c1215c36a5b87ad2ec7 Word Doc SHA256 Sample December 2021 viktoria.helle79@zingamail[.]uk Sender Email March 2022 paul@christiesrealestate[.]uk Sender Email December 2021 sherry@schalapartners[.]com Sender Email March 2022 arfeuille19@gmail[.]com Sender Email June 2022 arole@delaware-north[.]com Sender Email May 2022 hxxps://onedrive.live[.]com/download?resid= 680BC877518B4D11%21388&authkey=!AMMjaIOZSltiS_Q OneDrive URL March 2022 hxxps://onedrive.live[.]com/download?resid= 680BC877518B4D11!531&authkey=!ADr0ziYEPBJJK9w OneDrive URL March 2022 hxxps://onedrive.live[.]com/download?resid= 680BC877518B4D11!426&authkey=!AB60IPFY2E-XMXs OneDrive URL March 2022 Previous Blog Post Next Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust THREAT CENTER * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * United States * United Kingdom * France * Germany * Italy * Spain * Japan * Australia © 2022. All rights reserved. Terms and conditions Privacy Policy Sitemap