June 7, 2023

Researchers have spotted a stealer malware named as Evil Extractor (originally marketed as an educational tool) is being marketed for sale for other threat actors to steal data and files from Windows systems.

It has several modules that all work via an FTP service, it also contains environment checking and Anti-VM functions. Its primarily focuses steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server. Majority  of the victims located in Europe and the U.S.

Sold by an actor named Kodex,  it’s continually updates and packs in various modules to siphon system metadata, passwords, and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

Advertisements

As a part of the new campaign, the malware has been used as part of a phishing emails that lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their account details.

The Account_Info.exe binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch Evil Extractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

The report concluded stating, Evil Extractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor.

This research was documented by researchers from Fortinet

Indicators of Compromise

  • 45[.]87[.]81[.]184
  • 193[.]42[.]33[.]232
  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d
Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: