EvilExtractor, a new All-in-One info stealer appeared on the Dark Web

EvilExtractor is a new “all-in-one” info stealer for Windows that is being advertised for sale on dark web cybercrime forums.

Fortinet FortiGuard Labs researchers discovered a new “all-in-one” info stealer for Windows, dubbed EvilExtractor (sometimes spelled Evil Extractor) that is available for sale on dark web cybercrime forums.

EvilExtractor is a modular info-stealer, it exfiltrates data via an FTP service. The tool was developed by a company named Kodex, which claims that the tool was developed for an educational purpose. The bad news is that according to FortiGuard Labs, cybercriminals are actively using the tools as an info stealer.

The malware environment checking and Anti-VM functions.

“Based on our traffic source data to the host, evilextractor[.]com, malicious activity increased significantly in March 2023. FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced back to the samples included in this blog.” reads the report published by Fortinet. “It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities.”

The researchers observed a surge in attacks spreading the malware in March 2023, most of the infections were reported in Europe and the U.S.

The tool is sold on cybercrime forums by an actor that goes online with the name Kodex, the developer released its project in October 2022 and is continuously updating it by releasing new modules with new features.

The malware can steal sensitive data from the infected endpoint, including browser history and passwords, and cookies. The malware is also able to record keystrokes, activate the webcam, and capture screenshots. The experts noticed that the info-stealer also has a ransomware function called “Kodex Ransomware”.

The experts observed a phishing campaign using a malicious attachment disguised as an account confirmation request in the form of a PDF file. The attacker tricks the victim into clicking the PDF icon to decompress the attachment file.

The “Account_Info.exe” file is an obfuscated Python program packaged by PyInstaller. The binary launches a .NET loader that uses a Base64-encoded PowerShell script to execute the EvilExtractor malware.

“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability. This blog explains how threat actors launch an attack via phishing mail and what files are leveraged to extract the EvilExtracrtor PowerShell script.” concludes the report. “Users should be aware of this new info stealer and continue to be cautious about suspicious mail.”

The report also provides Indicators of Compromise (IOCs) for this threat.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, EvilExtractor)