A new “all-in-one” stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.
“It includes several modules that all work via an FTP service,” Fortinet FortiGuard Labs researcher Cara Lin said. “It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server.”
The network security company said it has observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer.
Sold by an actor named Kodex on cybercrime forums like Cracked since October 22, 2022, it’s continually updated and packs in various modules to siphon system metadata, passwords and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.
The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their “account details.”
The “Account_Info.exe” binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.
“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware,” Lin said. “Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability.”
The findings come as Secureworks Counter Threat Unit (CTU) detailed a malvertising and SEO poisoning campaign used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.
Bumbleebee, documented first a year ago by Google’s Threat Analysis Group and Proofpoint, is a modular loader that’s primarily propagating through phishing techniques. It’s suspected to be developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.
The use of SEO poisoning and malicious ads to redirect users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers has witnessed a spike in recent months after Microsoft began blocking macros by default from Office files downloaded from the internet.
In one incident described by the cybersecurity firm, the threat actor used the Bumblebee malware to obtain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software like AnyDesk and Dameware. The attack was ultimately disrupted before it proceeded to the final ransomware stage.
“To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites,” Secureworks said. “Users should not have privileges to install software and run scripts on their computers.”