Evil Extractor Targets Windows In Recent Phishing Campaign

Researchers observed malicious use of a self-claimed educational tool, “Evil Extractor,” for stealing data. They found the threat actors abusing Evil Extractor as an infostealer against Windows systems to extract stored information from web browsers.

Evil Extractor Infostealer

Evil Extractor Insoftealer Targets Windows

According to a recent report from Fortinet’s FortiGuard Labs, an active phishing campaign targets Windows users with Evil Extractor infostealer.

Although Kodex – the Evil Extractor developer – claims the tool to be solely educational, the researchers discovered its malicious use in recent attacks.

As explained on its website, Evil Extractor is a Windows hacking software, possessing a wide range of intrusive functionalities.

The tool offers two operation modes: Single Bullet and RAT. The “Single Bullet” mode provides six attack types that execute via FTP. Whereas the “RAT” mode gives unrestricted access to the target device. Using the RAT mode allows the attacker to access the device camera, upload, download, or delete files, take screenshots, and more.

It also exhibits keylogging, credential stealing, and information theft capabilities and can bypass Windows Defender. Moreover, it leaves no traces on the victim’s machine, hence gaining persistent access to the device without alerts.

The researchers detected its active malicious use after noticing a high traffic flow to the tool’s website. Regarding the malicious campaign, FortiGuard explained that the attack begins via phishing emails containing maliciously crafted files. While the file first looks legit, it leverages PowerShell activities following download.

Besides, it evades security checks via its anti-VM and environment-checking functions. When cleared, the malware starts stealing stored information from web browsers, which it then transmits to the attacker’s FTP server. The stolen data includes login credentials, browsing history, and other data, and the target browsers include Google Chrome, Mozilla Firefox, Opera, and Microsoft Edge. Besides, the tool also extracts sensitive device information, including the system specifications, hardware components, and device identifiers.

The researchers also highlighted Evil Extractor’s ransomware capabilities, which can be devastating if exploited in the wild.

Presently, the attacks seemed focused on users in Europe and USA. Nonetheless, it isn’t impossible for this technique to gain more negative attention and spread to other countries.

Vigilance Is The Key To Prevent Such Attacks

While Evil Extractor possesses advanced malicious and stealth capabilities, it isn’t impossible to prevent since it still requires user input to reach a target device.

For instance, in the phishing scenario that FortiGuard explained, the victim losses their machine to the attacker right after clicking or downloading the maliciously crafted document in the phishing email.

Therefore, a crucial protective measure remains for the users to stay vigilant. Users must avoid interacting with unsolicited emails, messages, and audio files, and clicking on web links, regardless of the apparent urgency. In case of ambiguity, users must contact the supposed sender via another source to validate the email or message’s legitimacy.

Attribution link