Researchers are seeing a rise in attacks spreading the EvilExtractor data theft tool, used to steal users’ sensitive data in Europe and the U.S.
EvilExtractor is sold by a company named Kodex for $59/month, featuring seven attack modules, including ransomware, credential extraction, and Windows Defender bypassing.
While marketed as a legitimate tool, BleepingComputer was told that EvilExtractor is primarily promoted to threat actors on hacking forums.
“Recorded Future first observed Evil Extractor being sold on the Cracked and Nulled forums in October of 2022,” Allan Liska, a threat intelligence analyst at Recorded Future, told BleepingComputer.
Other security researchers have also been monitoring the development and malicious attacks using Evil Extractor, sharing their findings on Twitter since February 2022.
Fortinet reports that cybercriminals use EvilExtractor as an information-stealing malware in the wild.
Based on attack stats collected by the cybersecurity company, the deployment of EvilExtractor spiked in March 2023, with most infections coming from a linked phishing campaign.
Spread in phishing attacks
Fortinet says the attacks they observed started with a phishing email disguised as an account confirmation request, carrying a gzip-compressed executable attachment. This executable is created to appear as a legitimate PDF or Dropbox file, but in reality, it is a Python executable program.
When the target opens the file, a PyInstaller file is executed and launches a .NET loader that uses a base64-encoded PowerShell script to launch an EvilExtractor executable.
Upon the first launch, the malware will check the system time and hostname to detect if it is running in a virtual environment or analysis sandbox, in which case it will exit.
The EvilExtractor version deployed in these attacks features the following modules:
- Date time checking
- FTP server setting
- Steal data
- Upload Stolen data
- Clear log
The EvilExtractor data-stealing module will download three additional Python components named “KK2023.zip,” “Confirm.zip,” and “MnMs.zip.”
The first program extracts cookies from Google Chrome, Microsoft Edge, Opera, and Firefox and also collects browsing history and saved passwords from an even more extensive set of programs.
The second module is a key logger that records the victim’s keyboard inputs and saves them in a local folder to be exfiltrated later.
The third file is a webcam extractor, meaning it can secretly activate the webcam, capture video or images, and upload the files to the attacker’s FTP server, which Kodex rents.
The malware also exfiltrates many document and media file types from the Desktop and Downloads folders, captures screenshots, and sends all stolen data to its operators.
The ‘Kodex ransomware’ module is nested in the loader and, if activated, downloads an additional file (“zzyy.zip”) from the product’s website.
It’s a simple yet effective file-locking tool that abuses 7-Zip to create a password-protected archive containing the victim’s files, effectively preventing access to them without the password.
Fortinet warns that the developer of EvilExtractor, Kodex, has added several features to the tool since its initial release in October 2022 and keeps upgrading it to make it more potent and stable.
In the wild detections indicate that EvilExtractor is gaining traction in the cybercrime community, so users are advised to remain vigilant against unsolicited emails.