Researchers at Fortinet FortiGuard Labs have identified a new all-in-one information stealer for Windows known as EvilExtractor that is being advertised on dark web cybercrime forums. The tool, developed by a company named Kodex, was created for educational purposes but is being used maliciously by cybercriminals. It can exfiltrate data via an FTP service and has anti-virtual machine capabilities.
According to the report published by Fortinet, the tool was used in a phishing email campaign in March 2023, with most of the infections reported in Europe and the US.
The malware can steal sensitive data from infected endpoints, including browser history, passwords, cookies, and other data, and has the ability to record keystrokes, activate webcams, and capture screenshots. The malware also has a ransomware function called Kodex Ransomware.
The tool is sold on cybercrime forums by an actor using the name Kodex, who released the project in October 2022 and continuously updates it by releasing new modules with new features. It pretends to be legitimate files, such as Adobe PDFs or Dropbox files, but once loaded, it begins to leverage PowerShell malicious activities.
The Account_Info.exe file launches a .NET loader that uses a Base64-encoded PowerShell script to execute the EvilExtractor malware.
The report concludes that users should be aware of this new information stealer and cautious about suspicious emails. EvilExtractor is a comprehensive information stealer with multiple malicious features, including ransomware.
Its PowerShell script can elude detection in a .NET loader or PyArmor, and the developer has already updated several functions to increase its stability.