+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

EvilExtractor Sold as ‘Educational Tool’ is Info Stealer

EvilExtractor is an info stealer malware tool designed for data theft attacks on Windows operating systems. Researchers at Fortinet’s threat research group FortiGuard Labs have published an analysis of this tool detailing the attack method for this malware, and its impact on its victims. The research concluded that although there are no specific industries targeted by this attack tool, most of the victims of this malware have been located in Europe and America. A key feature of this tool is the fact it has been marketed online both masquerading as a legitimate ‘educational tool’, and through promotion to threat actors on known hacking forums. This info stealer malware contains ransomware, credential extraction, and Windows Defender bypassing functionalities, and has been found to be actively used by cybercriminals in attacks. 

 

The NCSC (National Cyber Security Centre), a branch of GCHQ, have recently published the report “The threat from commercial cyber proliferation” which concluded that  

Commercial cyber tools and services lower the barrier to entry to state and non-state actors in obtaining cost-effective capability and intelligence they would not otherwise be able to develop or acquire themselves. This commercial proliferation will almost certainly be transformational on the cyber landscape.”  

 

In the case of EvilExtractor malware this is even more likely to be true, as the creator company Kodex continue to claim it is an educational tool, and therefore was able to market it as a legitimate tool despite its functionality as attack software. It can even be located through Google searches due to this claim, where the website description states “Evil Extractor is an attack software developed by Kodex for Windows-based operating systems. It offers two modes of operation: Single Bullet and RAT” and links to a now unavailable site, evilextractor[.]com 

 

The attacks conducted in the wild using EvilExtractor begin with a phishing email that appeared like an account confirmation request. This email contains an attachment of a gzip-compressed executable file, that is disguised as a legitimate attachment through the use of the Adobe PDF icon image within the email. This attachment contains a Python program with the obfuscating PYARMOR string within its main code, used to make the malware harder to detect or analyse. A .NET loader was also found by researchers alongside this Python program that could be used to extract the EvilExtractor PowerShell script. The tool PS2EXE-GUI was used to generate the execution file, by converting PowerShell scripts to .EXE executable files. 

 

The EvilExtractor PowerShell script contains 7 modules: Date time checking, Anti-Sandbox, Anti-VM, Anti-Scanner, FTP server setting, Steal data, Upload Stolen data, and Clear log. Before beginning malicious actions, the EvilExtractor script checks the system’s date to see if it is between 2022-11-09 and 2023-04-12. This, along with a check for the product model to see if it matches any known virtual machine products, and a hostname check against a list of VirusTotal, scanner, or virtual machines, are used by the program to determine whether or not it is running in a sandbox or a virtual environment. If the system does not match the set of requirements specified in the script for the attack to continue then it deletes the data within the PSReadline and terminates. 

 

If the conditions for the attack to continue are satisfied, the EvilExtractor downloads three additional components from an identified source IP, which are Python programs obfuscated with PyArmor, used for data stealing. The first file is KK2023.zip which can extract cookies from Google Chrome, Microsoft Edge, Opera, and Firefox browsers, and steal browser history data and passwords from a range of browsers including Google Chrome and Microsoft Edge. The stolen browser data is then saved into the folder IMP_Data. The second file Confirm.zip is a keylogger that is deployed on the victim’s machine and saves the data it collects from keyboard inputs into the folder KeyLogs. The third file is MnMs.zip which is a webcam extractor that can activate the webcam on the machine to capture video or images.  

 

System information is also collected via a PowerShell script and stored in the text file Credentials.txt. other files located in the Desktop and Download folders are also selected for exfiltration based on their file extension. Some of the extensions included in this data gathering process are jpg, png, jpeg, mp4, mpeg, mp3, avi, txt, rtf, xlsx, docx, pptx, pdf, rar, zip, 7z, csv, xml, and html. The command CopyFromScreen is also used for further data gathering, which causes a screenshot of the machine to be taken. Once all the data has been gathered and saved, it is uploaded to an FTP server controlled by the attacker. This server is a part of the service offered by the sellers of EvilExtractor when they market their malware. 

 

The original EvilExtractor .NET loader from the Python program in the phishing email also contains a ransomware function, called Kodex Ransomware. This is another PowerShell script which downloads a file from evilextractor[.]com called zzyy.zip. This is a 7-zip standalone console file that encrypts files using an executable called 7za.exe. Files are encrypted by zipping them with a password, which is enacted through the parameter -p in this executable. A ransom note is also produced to inform the victims of the file encryption that has taken place and demand payment in BTC before a decryption key will be released. The ransom message generated also contains a timer that counts down to a limit set by the attackers to add pressure to the victims, claiming that once the timer expires they will not ever be able to access their encrypted files again. 

 

Since its first appearance in October 2022, EvilExctractor malware and ransomware has had many additional malicious features added by the developer, and it continues to be a threat, with attacks using this tool peaking last month in March 2023. Having an antivirus or endpoint detection and prevention system on your devices that can efficiently block malicious URLs in real time can help protect your devices from these sorts of commercial attack tools. A list of indicators of compromise including known URLs and IPs associated with this attack tool can be found in FortiGuard Lab’s analysis blog post.  

 

However, with the commercial proliferation and the constant evolution of these attack tools and their capabilities, the best way to prevent falling victim to these attacks is not by blocking the URLs and IPs involved (which can change quickly), but by preventing them from being installed on your device in the first place, through vigilant checking of emails for potential phishing attempts. Education of staff to spot and alert IT security teams about potential phishing emails is an essential form of protection for your network alongside the technical controls offered by next generation firewalls and endpoint protection software. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top