A new data-stealing malware called EvilExtractor is available for sale and targets files from Windows systems.
"It includes several modules that all work through an FTP service," said Cara Lin, a researcher at Fortinet FortiGuard Labs. “It also contains environment control and Anti-VM features. Its main purpose appears to be to steal browser data and information from exposed endpoints and then upload it to the attacker's FTP server.”
The network security firm said it noticed a wave of attacks spreading the malware in March 2023, with the majority of victims located in Europe and the US. While EvilExtractor is marketed as an educational tool, it has been adopted by hackers as an information stealer.
The attack tool is sold by a hacker named Kodex on cybercrime forums such as Cracked που χρονολογείται από τις 22 Οκτωβρίου 2022. Ενημερώνεται συνεχώς και ενσωματώνει διάφορες ενότητες για να αποσπάσει μεταδεδομένα συστήματος, κωδικούς πρόσβασης και cookies από διάφορα προγράμματα περιήγησης στο διαδίκτυο, καθώς και να καταγράφει πληκτρολογήσεις και να ενεργεί ακόμη και ως ransomware encrypting files on the target system.
The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails trick recipients into launching an executable file disguised as a PDF document under the guise of confirming its “details their account".
The binary file “Account_Info.exe” is a stealth program Python που έχει σχεδιαστεί για την εκκίνηση ενός φορτωτή .NET που χρησιμοποιεί ένα PowerShell Base64 encoded script to start EvilExtractor. The malware, in addition to collecting files, can also activate the camera and capture screenshots.
"EvilExtractor is used as a comprehensive information thief with multiple malicious features, including ransomware," said Lin. “The PowerShell script can escape detection in a .NET or PyArmor loader. Within a very short period of time, its developer has updated several functions and increased its stability."
The findings come as Secureworks' Counter Threat Unit (CTU) details a malicious SEO campaign used to deliver the Bumblebee malware loader via rogue installers of legitimate software.
Bumbleebee, first reported a year ago by Google's Threat Analysis Group and Proofpoint, is a modular loader that spreads primarily through phishing techniques. It is suspected to have been developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.
The use of malicious ads to redirect users looking for popular tools such as ChatGPT, Cisco AnyConnect, Citrix Workspace and Zoom to fake websites that host infected installation files has been on the rise in recent months, after Microsoft began blocking macros by default from Office files downloaded from the web.
In one incident described by the cybersecurity firm, the attacker used the Bumblebee malware to gain an entry point and later moved three hours later to attack with Cobalt Strike and legitimate remote access software such as AnyDesk and Dameware. The attack was eventually stopped before it progressed to the final ransomware stage.
