• Home
  • |
  • Blog
  • |
  • New All-in-One Stealer – EvilExtractor
New All in One Stealer - EvilExtractor

The most widely used computer operating system in this world is Microsoft Windows, which itself makes Windows the most targeted for stealing data. A new attack tool was developed by the company Kodex which targets the Windows operating system and steals data.

In this article, we will discuss the new EvilExtractor stealer and the technical analysis of the malware.

What is EvilExtractor?

EvilExtractor is a tool that targets Windows operating systems and extracts data and files from endpoint devices through an FTP service. It was developed by Kodex, who claims it is an educational tool, but malware researchers suggest that cybercriminals are using it as an information stealer. The tool includes multiple modules that can be used for extracting data.

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

EvilExtractor

EvilExtractor for sales in the dark web (credits: Fortinet)

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

Technical Analysis -EvilExtractor

The initial analysis happens via a phishing mail requesting an account confirmation request containing a malicious attachment that disguises itself as a legitimate decompressed file icon for Adobe PDF.

The malicious file is actually a Python executable program. When the recipient opens the file, a PyInstaller file runs and initiates a .NET loader that utilizes a PowerShell script encoded in base64 to start an EvilExtractor executable.

During its initial execution, the malware will verify the system’s hostname and time to identify whether it is operating in a virtual environment or a sandbox for analysis purposes. If detected, it will terminate its operation.

The primary code of EvilExtractor is obtained by decrypting the py file. The malware consists of 7 attack modules that operate over FTP services:

  • password and cookie extractor
  • screen and webcam extractor
  • credential extractor
  • keylogger
  • desktop extractor
  • all-in-one extractor (bundles previous extractor options)
  • Kodex ransomware.

The program initially verifies if the current date falls between 2022-11-09 and 2023-04-12. If it doesn’t, the program erases the data in PSReadline and terminates. Additionally, the program checks if the product model matches any of the listed virtual machine names, such as VirtualBox, VMWare, Hyper-V, etc. The program also compares the victim’s hostname with a list of 187 machine names from VirusTotal and other scanner/virtual machines.

EvilExtractor doing device check

EvilExtractor doing device check (credits: Fortinet)

If the environment check is completed successfully, EvilExtractor will download 3 different components from http://193[.]42[.]33[.]232. All the downloaded components are Obfuscated using PyArmor. The files are

  1.  “KK2023.zip”- A tool that collects browser data and saves it in “IMP_Data” folder, extracting cookies from popular browsers.
  2. Confirm.zip” – Keylogger
  3.  “MnMs.zip” – Webcam extractor
See Also  How to Patch These Two RCE Vulnerabilities in WhatsApp

EvilExtractor fetches files with extensions like jpg, png, mp4, mp3, pdf, etc., from Desktop and Download directories. It also takes screenshots using “CopyFromScreen” command.

Kodex Ransomware 

After being executed, Kodex initiates the compression of the victim’s files with the help of 7-zip. It saves a list of compressed file names to Encrypted_files.txt, and then adds the compressed files to a password-protected archive, which is dropped on the victim’s desktop.

The attacker’s ransom note appears in HTML format on the victim’s browser, along with a countdown timer of 24 hours, demanding a ransom payment to the attacker’s Bitcoin wallet address for a decryption key. A screenshot of the victim’s desktop displaying the ransom note is captured and transmitted, along with Encrypted_files.txt, to the attacker’s EvilExtractor server via FTP. The IP address of the FTP server used by the analyzed sample was 89.117.169[.]78.

Kodex Ransomware notes

Kodex Ransomware notes (credits: Fortinet)

MITRE attack Identifier

  • T1105 (Ingress Tool Transfer)
  • T1071.002 (File Transfer Protocols)
  • T1059.001 (PowerShell)
  • T1562.001 (Disable or Modify Tools)
  • T1497.001 (System Checks)

IOC

IP Address:

  • 45.87.81.184
  • 193.42.33.232
  • 89.117.169.78

Files:

  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

Email Address          

Conclusion

The EvilExtractor is being employed as a tool for stealing various types of information while also having multiple malicious capabilities, such as ransomware. Its PowerShell script has the ability to avoid detection in a .NET loader or PyArmor. The developer of this tool has quickly updated numerous functions and improved its reliability.

I hope this article helped in understanding about what the new evil extractor stealer and the technical analysis of the malware. Please share this post and help secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblrMedium & Instagram, and subscribe to receive updates like this. 

Read More:

Frequently Asked Questions:

2. Who developed EvilExtractor?

EvilExtractor was developed by a company named Kodex.

3. What is the purpose of EvilExtractor?

The primary aim of EvilExtractor is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

4. How does EvilExtractor work?

EvilExtractor starts with a phishing email containing a malicious attachment disguised as a legitimate file. Once opened, it runs a Python executable program, which initiates a .NET loader using a PowerShell script to start the EvilExtractor executable. It has seven attack modules operating over FTP services, each designed for a specific type of data extraction.

5. What kind of environment check does EvilExtractor perform?

EvilExtractor checks if the system is operating in a virtual environment or a sandbox by verifying the system’s hostname and time. If such an environment is detected, it terminates its operation.

6. What is Kodex Ransomware?

Kodex ransomware is part of EvilExtractor’s attack modules. It compresses the victim’s files, saves a list of compressed file names, and adds these to a password-protected archive on the victim’s desktop. A ransom note is displayed on the victim’s browser, demanding a payment to the attacker’s Bitcoin wallet address for a decryption key.

7. What measures can be taken against EvilExtractor?

The blog post does not mention specific measures against EvilExtractor. However, generally, it is crucial to maintain up-to-date antivirus software, be wary of suspicious emails and attachments, regularly back up important data, and stay informed about the latest cybersecurity threats.

8. Is EvilExtractor available for sale?

Yes, EvilExtractor has been seen for sale on the dark web.

9. Can EvilExtractor target other operating systems besides Windows?

As per the blog post, EvilExtractor specifically targets the Windows operating system.

About the author

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.