Summary:
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. ‘It includes several modules that all work via an FTP service, Fortinet FortiGuard Labs researcher Cara Lin said.‘ It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server." The network security company said it has observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer” (The Hacker News, 2023).

Analyst comments:
EvilExtractor was first advertised for sale on cybercriminal forums on October 22, 2022. Since then, the malware has received several module updates to steal system data, passwords, cookies from browsers and record keystrokes entered by victims. In the latest campaign uncovered by researchers on March 30, the malware was distributed as part of a large scale phishing campaign, where email recipients were tricked into launching executables masquerading as PDF files named “Account_Info.” Upon close examination, the executables were found to be an obfuscated python program designed to launch a .NET loader that is uses a Base64-encoded PowerShell script to launch EvilExtractor. For its part, the malware seen featuring the following modules in attacks:

Date time checking
Anti-Sandbox
Anti-VM
Anti-Scanner
FTP server setting
Steal data
Upload Stolen data
Clear log
Ransomware


According to FortiGuard Labs, the latest EvilExtractor comes with a unique ransomware function dubbed “Kodex Ransomware,” which is capable of zipping victim files with a password. It also leaves behind ransom note which demands victims pay bitcoin (amount varies per victim) to receive a decryptor key.

Mitigation:
Users should adhere to the following recommendations:

Do not open emails or download software from untrusted sources
Do not click on links or attachments in emails that come from unknown senders
Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
Always verify the email sender's email address, name, and domain
Backup important files frequently and store them separately from the main system
Protect devices using antivirus, anti-spam and anti-spyware software
Report phishing emails to the appropriate security or I.T. staff immediately


Source:
https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html