www.fortinet.com
Open in
urlscan Pro
3.123.216.247
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer
Submission: On May 31 via api from DE — Scanned from DE
Submission: On May 31 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOMGET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>
Text Content
Blog * Categories * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe FortiGuard Labs Threat Research EVILEXTRACTOR – ALL-IN-ONE STEALER By Cara Lin | April 20, 2023 Affected platforms: Windows Impacted parties: Any organization Impact: Controls victim’s device and collects sensitive information Severity level: Critical EvilExtractor (sometimes spelled Evil Extractor) is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. It includes several modules that all work via an FTP service. It was developed by a company named Kodex, which claims it is an educational tool. However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info stealer. Based on our traffic source data to the host, evilextractor[.]com, malicious activity increased significantly in March 2023. FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced back to the samples included in this blog. It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities. It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server. We recently reviewed a version of the malware that was injected into a victim’s system and, as part of that analysis, identified that most of its victims are located in Europe and America. The developer released its project in October 2022 (Figure 1) and has kept updating it to increase its stability and strengthen its module. This article will examine the initial attack method used to deliver EvilExtractor and its functions. Figure 1. EvilExtractor for sale on the web INITIAL ACCESS The phishing email with the malicious attachment is shown in Figure 2. It is disguised as an account confirmation request. The attacker also tricks the victim by using an Adobe PDF icon for the decompressed file. The PE header is shown in Figure 3. Figure 2. The phishing email Figure 3. File header of "Account_Info.exe" The execution file is a Python program packaged by PyInstaller. We extracted it with pyinstxtractor and found that the “PYARMOR” string in its main code file “contain.pyc”, shown in Figure 4, is an obfuscating tool for Python script that makes the malware harder to be analyzed and detected. We extracted the key and iv from _pytransform.dll and decrypted the “contain.pyc” using AES-GCM. Figure 4. Code in "contain.pyc" In addition to the Python program, we observed a .NET loader that can extract EvilExtractor. Figure 5 is part of the code. It contains Base64-encoded data, which is a PowerShell script. This execution file is generated from the tool “PS2EXE-GUI”, which can convert PowerShell scripts to EXE Files. Figure 5. .Net Code for EvilExtractor EVILEXTRACTOR After decrypting the pyc file, we get the primary code of EvilExtractor. It is a PowerShell script that contains the following modules: * Date time checking * Anti-Sandbox * Anti-VM * Anti-Scanner * FTP server setting * Steal data * Upload Stolen data * Clear log It first checks whether the system’s date is between 2022-11-09 and 2023-04-12. If not, it uses the following command to delete the data in PSReadline and terminate: DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force –Recurse Copy It then compares the product model to see if it matches any of the following: VirtualBox, VMWare, Hyper-V, Parallels, Oracle VM VirtualBox, Citrix Hypervisor, QEMU, KVM, Proxmox VE, or Docker, as shown in Figure 6. It also checks the victim’s hostname against 187 names from VirusTotal machines or other scanner/virtual machines, as shown in Figure 7. Figure 6. EvilExtractor comparing product model for match Figure 7. Virtual environment and scanner/virtual machine checking After passing the environment check, EvilExtractor downloads three components from http://193[.]42[.]33[.]232 used for stealing data. These files are also Python programs that are obfuscated using PyArmor. The first is “KK2023.zip”, which is used for stealing browser data and saving it in the folder “IMP_Data”. It can extract cookies from Google Chrome, Microsoft Edge, Opera, and Firefox. It also collects browser history and passwords from the following browsers: The second file is “Confirm.zip”. It is a key logger that saves data in the “KeyLogs” folder. The last file, “MnMs.zip”, is a webcam extractor. Its corresponding code is shown in Figure 8. Figure 8. Download components for the Keylogger and Webcam Snapshot functions EvilExtractor also collects system information by PowerShell script, shown in Figure 9. Figure 10 shows the concatenated data in a text file called “Credentials.txt”. Figure 9. PowerShell script for collecting system information Figure 10. Content of “Credentials.txt” EvilExtractor downloads files with specific extensions from the Desktop and Download folders, including jpg, png, jpeg, mp4, mpeg, mp3, avi, txt, rtf, xlsx, docx, pptx, pdf, rar, zip, 7z, csv, xml, and html. It also uses the command “CopyFromScreen” to capture a screenshot. The code is shown in Figure 11. Figure 11. Downloading files and getting a screenshot After EvilExtractor extracts all the data from the compromised endpoint, it uploads it to the attacker’s FTP server, shown in Figure 12. The developer of EvilExtractor also provides an FTP server for those who purchase its malware. Figure 12. Upload file to attacker’s FTP server KODEX RANSOMWARE EvilExtractor also has a ransomware function. It is called “Kodex Ransomware”, as shown in Figure 13. We extracted this PowerShell script from the .Net loader mentioned in the previous section, and the script for its ransomware is similar to the one for its stealer. Figure 13. Introduction form evilextracom[.]com It downloads “zzyy.zip” from evilextractor[.]com. Details of the unzipped file, a 7-zip standalone console, are shown in Figure 14. Figure 15 shows it leverages “7za.exe” to encrypt files with the parameter “-p”, which means zipping files with a password. It also generates a ransom-demanding message saved in “KodexRansom”, shown in Figure 16. Figure 14. File in "zzyy.zip" Figure 15. PowerShell script for Kodex Ransomware Figure 16. Kodex ransomware's note CONCLUSION EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability. This blog explains how threat actors launch an attack via phishing mail and what files are leveraged to extract the EvilExtracrtor PowerShell script. We also detailed what functions are included, what data can be collected by EvilExtractor, and how the Kodex Ransomware works. Users should be aware of this new info stealer and continue to be cautious about suspicious mail. Figure 17. Attack Chain FORTINET PROTECTIONS The malware described in this report are detected and blocked by FortiGuard Antivirus as: W32/EvilExtractor.A!tr W32/Infostealer.A!tr W32/Keylogger.A!tr The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected. The FortiGuard Web Filtering Service blocks the malicious URL and IP address. If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team. IOCS IP ADDRESS: 45[.]87[.]81[.]184 193[.]42[.]33[.]232 FILES: 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45 b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d Tags: attack research, email phishing, infostealer RELATED POSTS FortiGuard Labs Threat Research NEWLY DISCOVERED INFOSTEALER ATTACK USES LOKIBOT FortiGuard Labs Threat Research MORE SUPPLY CHAIN ATTACKS VIA NEW MALICIOUS PYTHON PACKAGES IN PYPI FortiGuard Labs Threat Research NEW LOKI VARIANT BEING SPREAD BY PHISHING EMAIL * * * * * * NEWS & ARTICLES * News Releases * News Articles SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Ransomware Prevention CONNECT WITH US * Fortinet Community * Partner Portal * Investor Relations * Product Certifications COMPANY * About Us * Exec Mgmt * Careers * Training * Events * Industry Awards * Social Responsibility * CyberGlossary * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Subscribe Copyright © 2023 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings Also of Interest * Why ZTNA in the Cloud Isn't Enough * Converging NOC & SOC starts with FortiGate * DOJ & Top Security Threats * Pay Ransomware Settlements? COOKIE PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * TARGETING COOKIES YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking certain cookies in the Functional category may impact your experience of the site and the services we are able to offer. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. Cookies Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label * 33ACROSS 33ACROSS View Third Party Cookies * Name cookie name Clear checkbox label label Apply Cancel Confirm My Choices Allow All COOKIE SETTINGS By clicking “Accept All”, you agree to use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts. The Cookies Settings link has cookie-specific detail and preference options. privacy policy Reject All Accept All Cookies Settings