Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,259
Researchers are seeing a rise in attacks spreading the EvilExtractor data theft tool, used to steal users' sensitive data in Europe and the U.S.
EvilExtractor is sold by a company named Kodex for $59/month, featuring seven attack modules, including ransomware, credential extraction, and Windows Defender bypassing.
While marketed as a legitimate tool, BleepingComputer was told that EvilExtractor is primarily promoted to threat actors on hacking forums.
"Recorded Future first observed Evil Extractor being sold on the Cracked and Nulled forums in October of 2022," Allan Liska, a threat intelligence analyst at Recorded Future, told BleepingComputer.
Other security researchers have also been monitoring the development and malicious attacks using Evil Extractor, sharing their findings on Twitter since February 2022.
Fortinet reports that cybercriminals use EvilExtractor as an information-stealing malware in the wild.
Based on attack stats collected by the cybersecurity company, the deployment of EvilExtractor spiked in March 2023, with most infections coming from a linked phishing campaign.
Fortinet says the attacks they observed started with a phishing email disguised as an account confirmation request, carrying a gzip-compressed executable attachment. This executable is created to appear as a legitimate PDF or Dropbox file, but in reality, it is a Python executable program.
When the target opens the file, a PyInstaller file is executed and launches a .NET loader that uses a base64-encoded PowerShell script to launch an EvilExtractor executable.
Upon the first launch, the malware will check the system time and hostname to detect if it is running in a virtual environment or analysis sandbox, in which case it will exit.
The EvilExtractor data-stealing module will download three additional Python components named "KK2023.zip," "Confirm.zip," and "MnMs.zip."
The first program extracts cookies from Google Chrome, Microsoft Edge, Opera, and Firefox and also collects browsing history and saved passwords from an even more extensive set of programs.
The second module is a key logger that records the victim's keyboard inputs and saves them in a local folder to be exfiltrated later.
The third file is a webcam extractor, meaning it can secretly activate the webcam, capture video or images, and upload the files to the attacker's FTP server, which Kodex rents.
The malware also exfiltrates many document and media file types from the Desktop and Downloads folders, captures screenshots, and sends all stolen data to its operators.
EvilExtractor malware activity spikes in Europe and the U.S.
Researchers are seeing a rise in attacks spreading the EvilExtractor data theft tool, used to steal users' sensitive data in Europe and the U.S.
www.bleepingcomputer.com