New All-in-One Stealer – EvilExtractor


The most widely used computer operating system in this world is Microsoft Windows, which itself makes Windows the most targeted for stealing data. A new attack tool was developed by the company Kodex which targets the Windows operating system and steals data.

In this article, we will discuss the new EvilExtractor stealer and the technical analysis of the malware.

What is EvilExtractor?

EvilExtractor is a tool that targets Windows operating systems and extracts data and files from endpoint devices through an FTP service. It was developed by Kodex, who claims it is an educational tool, but malware researchers suggest that cybercriminals are using it as an information stealer. The tool includes multiple modules that can be used for extracting data.

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

EvilExtractor

By March 2023, there was a huge spike in communication with the host, evilextractor[.]com. EvilExtractor camouflages itself as a genuine file like Adobe PDF or Dropbox, but then it initiates PowerShell malicious activities and has Anti-VM functions. Its primary aim is to extract browser data and other information from compromised endpoints and upload it to the attacker’s FTP server.

Technical Analysis -EvilExtractor

The initial analysis happens via a phishing mail requesting an account confirmation request containing a malicious attachment that disguises itself as a legitimate decompressed file icon for Adobe PDF.

See also  Pirated Windows 10 Builds Are Serving Clipper Malware- A Crypto Stealer Malware

The malicious file is actually a Python executable program. When the recipient opens the file, a PyInstaller file runs and initiates a .NET loader that utilizes a PowerShell script encoded in base64 to start an EvilExtractor executable.

During its initial execution, the malware will verify the system’s hostname and time to identify whether it is operating in a virtual environment or a sandbox for analysis purposes. If detected, it will terminate its operation.

The primary code of EvilExtractor is obtained by decrypting the py file. The malware consists of 7 attack modules that operate over FTP services:

  • password and cookie extractor
  • screen and webcam extractor
  • credential extractor
  • keylogger
  • desktop extractor
  • all-in-one extractor (bundles previous extractor options)
  • Kodex ransomware.

The program initially verifies if the current date falls between 2022-11-09 and 2023-04-12. If it doesn’t, the program erases the data in PSReadline and terminates. Additionally, the program checks if the product model matches any of the listed virtual machine names, such as VirtualBox, VMWare, Hyper-V, etc. The program also compares the victim’s hostname with a list of 187 machine names from VirusTotal and other scanner/virtual machines.

EvilExtractor doing device check

EvilExtractor doing device check (credits: Fortinet)

If the environment check is completed successfully, EvilExtractor will download 3 different components from http://193[.]42[.]33[.]232. All the downloaded components are Obfuscated using PyArmor. The files are

 

See Also What Is Path Traversal Vulnerability? How To Prevent The Path Traversal Vulnerability?

EvilExtractor fetches files with extensions like jpg, png, mp4, mp3, pdf, etc., from Desktop and Download directories. It also takes screenshots using “CopyFromScreen” command.

Kodex Ransomware 

After being executed, Kodex initiates the compression of the victim’s files with the help of 7-zip. It saves a list of compressed file names to Encrypted_files.txt, and then adds the compressed files to a password-protected archive, which is dropped on the victim’s desktop.

See also  Step-by-Step Procedure to Deploy RDP Certificates Using GPO

The attacker’s ransom note appears in HTML format on the victim’s browser, along with a countdown timer of 24 hours, demanding a ransom payment to the attacker’s Bitcoin wallet address for a decryption key. A screenshot of the victim’s desktop displaying the ransom note is captured and transmitted, along with Encrypted_files.txt, to the attacker’s EvilExtractor server via FTP. The IP address of the FTP server used by the analyzed sample was 89.117.169[.]78.

Kodex Ransomware notes

Kodex Ransomware notes (credits: Fortinet)

MITRE attack Identifier

  • T1105 (Ingress Tool Transfer)
  • T1071.002 (File Transfer Protocols)
  • T1059.001 (PowerShell)
  • T1562.001 (Disable or Modify Tools)
  • T1497.001 (System Checks)

IOC

IP Address:

  • 45.87.81.184
  • 193.42.33.232
  • 89.117.169.78

Files:

  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

Email Address          

  • kodex@evilextractor.com

Conclusion

The EvilExtractor is being employed as a tool for stealing various types of information while also having multiple malicious capabilities, such as ransomware. Its PowerShell script has the ability to avoid detection in a .NET loader or PyArmor. The developer of this tool has quickly updated numerous functions and improved its reliability.

Leave a Reply

Your email address will not be published. Required fields are marked *