New All-in-One Stealer – EvilExtractor

The most widely used computer operating system in this world is Microsoft Windows, which itself makes Windows the most targeted for stealing data. A new attack tool was developed by the company Kodex which targets the Windows operating system and steals data.

In this article, we will discuss the new EvilExtractor stealer and the technical analysis of the malware.

What is EvilExtractor?

EvilExtractor is a tool that targets Windows operating systems and extracts data and files from endpoint devices through an FTP service. It was developed by Kodex, who claims it is an educational tool, but malware researchers suggest that cybercriminals are using it as an information stealer. The tool includes multiple modules that can be used for extracting data.

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

EvilExtractor for sales in the dark web (credits: Fortinet)

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

Technical Analysis -EvilExtractor

The initial analysis happens via a phishing mail requesting an account confirmation request containing a malicious attachment that disguises itself as a legitimate decompressed file icon for Adobe PDF.

The malicious file is actually a Python executable program. When the recipient opens the file, a PyInstaller file runs and initiates a .NET loader that utilizes a PowerShell script encoded in base64 to start an EvilExtractor executable.

During its initial execution, the malware will verify the system’s hostname and time to identify whether it is operating in a virtual environment or a sandbox for analysis purposes. If detected, it will terminate its operation.

The primary code of EvilExtractor is obtained by decrypting the py file. The malware consists of 7 attack modules that operate over FTP services:

The program initially verifies if the current date falls between 2022-11-09 and 2023-04-12. If it doesn’t, the program erases the data in PSReadline and terminates. Additionally, the program checks if the product model matches any of the listed virtual machine names, such as VirtualBox, VMWare, Hyper-V, etc. The program also compares the victim’s hostname with a list of 187 machine names from VirusTotal and other scanner/virtual machines.

EvilExtractor doing device check (credits: Fortinet)

If the environment check is completed successfully, EvilExtractor will download 3 different components from http://193[.]42[.]33[.]232. All the downloaded components are Obfuscated using PyArmor. The files are

EvilExtractor fetches files with extensions like jpg, png, mp4, mp3, pdf, etc., from Desktop and Download directories. It also takes screenshots using “CopyFromScreen” command.

Kodex Ransomware

After being executed, Kodex initiates the compression of the victim’s files with the help of 7-zip. It saves a list of compressed file names to Encrypted_files.txt, and then adds the compressed files to a password-protected archive, which is dropped on the victim’s desktop.

The attacker’s ransom note appears in HTML format on the victim’s browser, along with a countdown timer of 24 hours, demanding a ransom payment to the attacker’s Bitcoin wallet address for a decryption key. A screenshot of the victim’s desktop displaying the ransom note is captured and transmitted, along with Encrypted_files.txt, to the attacker’s EvilExtractor server via FTP. The IP address of the FTP server used by the analyzed sample was 89.117.169[.]78.

Kodex Ransomware notes (credits: Fortinet)

MITRE attack Identifier

IOC

IP Address:

Files:

Email Address          

Conclusion

The EvilExtractor is being employed as a tool for stealing various types of information while also having multiple malicious capabilities, such as ransomware. Its PowerShell script has the ability to avoid detection in a .NET loader or PyArmor. The developer of this tool has quickly updated numerous functions and improved its reliability.

I hope this article helped in understanding about what the new evil extractor stealer and the technical analysis of the malware. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.