According to cybersecurity reports, there has been a recent increase in attacks using a data theft tool known as EvilExtractor or the Evil Extractor. This tool is designed to steal sensitive user data and is being used in both Europe and the U.S. The EvilExtractor tool is sold by a company named Kodex for $59 per month. The tool has seven different attack modules, including ransomware, credential extraction and Windows Defender bypassing. While Kodex markets EvilExtractor as a legitimate tool, evidence suggests that it is primarily being promoted to cybercriminals on hacking forums.
Cybercriminals are deploying EvilExtractor as an information-stealing malware in the wild. According to a report published by a cybersecurity company, attacks using EvilExtractor have surged since the start of 2023. The threat actors have established a linked phishing campaign as a way to infect targets.
EvilExtractor is Delivered via Phishing Emails
The EvilExtractor attacks begin with a phishing email that is designed to appear as an account confirmation request. The email contained a compressed executable attachment, disguised as a legitimate PDF or Dropbox file. However, upon opening the attachment, a Python executable program was launched.
This program uses a PyInstaller file to execute a .NET loader, which, in turn, activates a base64-encoded PowerShell script to launch the EvilExtractor executable. Upon launching, the malware checks the breached system's hostname and time to detect whether it is being run in a virtual environment or analysis sandbox. If it detects such an environment, the malware threat terminates its execution.
The version of EvilExtractor used in these attacks includes a total of seven distinct modules. Each module is responsible for a specific function, such as date and time checking, anti-sandbox, anti-VM, anti-scanner, FTP server setting, data stealing, data upload, log clearing, and even one with ransomware capabilities.
EvilExtractor Malware can Exfiltrate Sensitive Data or Act as Ransomware
The EvilExtractor malware contains a data-stealing module that downloads three additional Python components named 'KK2023.zip,' 'Confirm.zip,' and 'MnMs.zip.'
The first component extracts cookies from popular browsers such as Google Chrome, Microsoft Edge, Opera, and Firefox. Additionally, it collects browsing history and saved passwords from an extensive set of programs.
The second component functions as a keylogger, recording the victim's keyboard inputs and saving them in a local folder to be retrieved later.
The third component is a webcam extractor that can silently activate the webcam, capture video or images, and upload them to the attacker's FTP server, which is rented by Kodex.
The malware also steals document and media files from the victim's Desktop and Downloads folders, capture arbitrary screenshots, and exfiltrate all the collected data to its operators.
The malware's ransomware module is nested within the loader and, when activated, downloads an additional file named 'zzyy.zip' from the product's website. It is a file-locking tool that uses the 7-Zip app to create a password-protected archive containing the victim's files, effectively preventing access to them without the password.