EvilExtractor Stealer Malware Attacks Peaked in March 2023

Home/BOTNET, Compromised, Data Breach, Evilproxy, Exploitation, malicious cyber actors, Malicious extension, Malware/EvilExtractor Stealer Malware Attacks Peaked in March 2023

EvilExtractor Stealer Malware Attacks Peaked in March 2023

The attack tool known as Evil Extractor and developed by a company called Kodex as an “educational tool,” has been used by threat actors to target Windows-based machines.

What Is EvilExtractor?

EvilExtractor malware affects Windows systems, and attackers utilize it mainly for stealing browser data and other sensitive information. Kodex released the malware in October 2022 and has since been updating it.

Further, Evil Extractor contains environment checking as well as anti-virtual machine (VM) and VirusTotal capabilities designed to avoid detection. The malware also has a ransomware function called “Kodex Ransomware.”

Most infections were caused by a phishing campaign in which attackers dropped a Python executable. Fortinet discovered several attacks masquerading as account confirmation requests, each with a gzip-compressed executable attachment. This executable is designed to look like a legitimate PDF or Dropbox file.

When the target opens the file, a PyInstaller file is executed, which launches a .NET loader that launches an EvilExtractor executable using a base64-encoded PowerShell script.

The following modules are part of the EvilExtractor version used in these attacks:

  • Date time checking
  • Anti-Sandbox
  • Anti-VM
  • Anti-Scanner
  • FTP server setting
  • Steal data
  • Upload Stolen data
  • Clear log
  • Ransomware

“Users should be aware of this new info stealer and continue to be cautious about suspicious mail.”

IOCs

IP Address:

45[.]87[.]81[.]184
193[.]42[.]33[.]232

Files:

352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!