Table of Contents
  • Home
  • /
  • Blog
  • /
  • New All-in-One Stealer – EvilExtractor
May 23, 2023
|
5m

New All-in-One Stealer – EvilExtractor


New All In One Stealer Evilextractor

The most widely used computer operating system in this world is Microsoft Windows, which itself makes Windows the most targeted for stealing data. A new attack tool was developed by the company Kodex which targets the Windows operating system and steals data.

In this article, we will discuss the new EvilExtractor stealer and the technical analysis of the malware.

What is EvilExtractor?

EvilExtractor is a tool that targets Windows operating systems and extracts data and files from endpoint devices through an FTP service. It was developed by Kodex, who claims it is an educational tool, but malware researchers suggest that cybercriminals are using it as an information stealer. The tool includes multiple modules that can be used for extracting data.

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

EvilExtractor for sales in the dark web (credits: Fortinet)

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

Technical Analysis -EvilExtractor

The initial analysis happens via a phishing mail requesting an account confirmation request containing a malicious attachment that disguises itself as a legitimate decompressed file icon for Adobe PDF.

The malicious file is actually a Python executable program. When the recipient opens the file, a PyInstaller file runs and initiates a .NET loader that utilizes a PowerShell script encoded in base64 to start an EvilExtractor executable.

During its initial execution, the malware will verify the system’s hostname and time to identify whether it is operating in a virtual environment or a sandbox for analysis purposes. If detected, it will terminate its operation.

The primary code of EvilExtractor is obtained by decrypting the py file. The malware consists of 7 attack modules that operate over FTP services:

  • password and cookie extractor

  • screen and webcam extractor

  • credential extractor

  • keylogger

  • desktop extractor

  • all-in-one extractor (bundles previous extractor options)

  • Kodex ransomware.

The program initially verifies if the current date falls between 2022-11-09 and 2023-04-12. If it doesn’t, the program erases the data in PSReadline and terminates. Additionally, the program checks if the product model matches any of the listed virtual machine names, such as VirtualBox, VMWare, Hyper-V, etc. The program also compares the victim’s hostname with a list of 187 machine names from VirusTotal and other scanner/virtual machines.

EvilExtractor doing device check (credits: Fortinet)

If the environment check is completed successfully, EvilExtractor will download 3 different components from http://193[.]42[.]33[.]232. All the downloaded components are Obfuscated using PyArmor. The files are

  1.  “KK2023.zip”- A tool that collects browser data and saves it in “IMP_Data” folder, extracting cookies from popular browsers.

  2. Confirm.zip” – Keylogger

  3.  “MnMs.zip” – Webcam extractor

EvilExtractor fetches files with extensions like jpg, png, mp4, mp3, pdf, etc., from Desktop and Download directories. It also takes screenshots using “CopyFromScreen” command.

Kodex Ransomware

After being executed, Kodex initiates the compression of the victim’s files with the help of 7-zip. It saves a list of compressed file names to Encrypted_files.txt, and then adds the compressed files to a password-protected archive, which is dropped on the victim’s desktop.

The attacker’s ransom note appears in HTML format on the victim’s browser, along with a countdown timer of 24 hours, demanding a ransom payment to the attacker’s Bitcoin wallet address for a decryption key. A screenshot of the victim’s desktop displaying the ransom note is captured and transmitted, along with Encrypted_files.txt, to the attacker’s EvilExtractor server via FTP. The IP address of the FTP server used by the analyzed sample was 89.117.169[.]78.

Kodex Ransomware notes (credits: Fortinet)

MITRE attack Identifier

  • T1105 (Ingress Tool Transfer)

  • T1071.002 (File Transfer Protocols)

  • T1059.001 (PowerShell)

  • T1562.001 (Disable or Modify Tools)

  • T1497.001 (System Checks)

IOC

IP Address:

  • 45.87.81.184

  • 193.42.33.232

  • 89.117.169.78

Files:

  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685

  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e

  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e

  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45

  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd

  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

Email Address          

  • kodex@evilextractor.com

Conclusion

The EvilExtractor is being employed as a tool for stealing various types of information while also having multiple malicious capabilities, such as ransomware. Its PowerShell script has the ability to avoid detection in a .NET loader or PyArmor. The developer of this tool has quickly updated numerous functions and improved its reliability.

I hope this article helped in understanding about what the new evil extractor stealer and the technical analysis of the malware. Please share this post and help secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblrMedium & Instagram, and subscribe to receive updates like this. 

You may also like these articles:

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe