Rewterz Threat Alert – New All-in-One Stealer ‘EvilExtractor’ Campaign Targets Windows User Data – Active IOCs

Severity

High

Analysis Summary

A new type of malware called EvilExtractor is being marketed for sale to other threat actors as an “all-in-one” stealer malware. The malware is designed to steal data and files from Windows systems, and has been observed in a surge of attacks in March 2023, primarily targeting victims in Europe and the U.S.

“It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server.” mentioned in the blog

Despite being marketed as an educational tool, EvilExtractor has been adopted by threat actors as an information stealer, which is a cause for concern. These malware attacks can be highly disruptive, compromising sensitive data and causing significant financial and reputational damage to individuals and organizations.

This all-in-one stealer malware has surfaced on the dark web and is being sold by an actor named Kodex on cybercrime forums like Cracked since October 22, 2022. The malware is continually updated and contains various modules to steal system metadata, passwords, and cookies from various web browsers. Additionally, it can record keystrokes and even act as ransomware by encrypting files on the target system.

The malware was also allegedly used in a phishing email campaign spotted by the company on March 30, 2023. The malicious file masquerades as a request for account confirmation. In addition, the attacker dupes the user by utilising an Adobe PDF icon for the decompressed file.

Based on the analysis, it appears that the “Account_Info.exe” binary is an obfuscated Python program that is designed to launch a .NET loader. This loader uses a Base64-encoded PowerShell script to launch the EvilExtractor malware. In addition to stealing files, the malware is capable of activating the webcam and capturing screenshots.

EvilExtractor downloads three components from http://193[.]42[.]33[.]232 used to steal data, after passing the environment check. These are other Python programmes that have been obfuscated with PyArmor. The first is “KK2023.zip,” which is used to steal browser data and save it in the “IMP_Data” folder. Cookies from Google Chrome, Microsoft Edge, Opera, and Firefox can be extracted. It also gathers browsing history and passwords from the browsers.

Additionally, EvilExtractor makes use of a PowerShell script to obtain gadget information.

“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability”, they conclude

Impact

• Sensitive Information Theft
• File Encryption

Indicators of Compromise

MD5

• 1afb46290a59305692953cc04cdf6749
• 9650ac3a9de8d51fddab092c7956bdae
• fb970c4367609860c2e5b17737a9f460
• 7844aa5b234d28d70888cf660b428972
• 163d4e2d75f8ce6c838bab888bf9629c

SHA-256

• 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
• 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
• 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
• 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
• b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd

SHA-1

• d76da6653d8d774653ab21c34ce118a911a99044
• f52b9ec5b9629a746c679394953dc56407b8a419
• c4294d92364eb8dd6736448e3767fc827015873d
• f7ecc96fd43b2e3fa898befd21c446f48888412d
• fbbd9999d3078b4047b3282f186b4ee86e0a3cc7

IP

• 45.87.81.184
• 193.42.33.232

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Update your antivirus software: Make sure your antivirus software is up-to-date and run a full system scan to detect and remove any malicious files associated with the “EvilExtractor” stealer.
• Change your passwords: If you suspect that your passwords may have been compromised, it is important to change them immediately. Use strong, unique passwords for each account and enable two-factor authentication wherever possible.
• Disable any suspicious processes: Use the Windows Task Manager to check for any suspicious processes running on your system and disable them. Look for any processes that are using a lot of CPU or memory resources or that you don’t recognize.
• Backup your data: Make sure you have a backup of all important data and files, in case the malware has caused any damage or encryption.
• Stay vigilant: Keep an eye out for any suspicious activity on your system and avoid downloading or opening any suspicious files or links.