December 3, 2023

Researchers have spotted a stealer malware named as Evil Extractor (originally marketed as an educational tool) is being marketed for sale for other threat actors to steal data and files from Windows systems.

It has several modules that all work via an FTP service, it also contains environment checking and Anti-VM functions. Its primarily focuses steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server. Majority  of the victims located in Europe and the U.S.

Sold by an actor named Kodex,  it’s continually updates and packs in various modules to siphon system metadata, passwords, and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

Advertisements

As a part of the new campaign, the malware has been used as part of a phishing emails that lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their account details.

The Account_Info.exe binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch Evil Extractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

The report concluded stating, Evil Extractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor.

This research was documented by researchers from Fortinet

Indicators of Compromise

  • 45[.]87[.]81[.]184
  • 193[.]42[.]33[.]232
  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November, 2023

December 2, 2023

Staples affected by a Cyber Attack

December 2, 2023

CISA KEV Update Part I – December 2023

December 1, 2023 2

Dollar Tree Affected by a Third Party Breach

December 1, 2023

Apple Patches iOS zerodays – CVE-2023-42916 and CVE-2023-42917

December 1, 2023

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023
%d bloggers like this: