Threat Research

EvilExtractor – All-in-One Stealer | FortiGuard Labs

Securonix

EvilExtractor is a Windows-focused info stealer with modular components that exfiltrate browser data, credentials, and system information to an attacker’s FTP server, and it includes a Kodex ransomware capability. FortiGuard Labs links its phishing delivery, PowerShell-based execution, anti-VM checks, and ongoing updates to the malware. #EvilExtractor #KodexRansomware #FortiGuardLabs #PyArmor

Keypoints

  • EvilExtractor targets Windows endpoints and operates via an FTP-based data-exfiltration workflow as an info stealer.

MITRE Techniques

  • [T1566.001] Phishing – The phishing email with the malicious attachment is shown in Figure 2. It is disguised as an account confirmation request. – “The phishing email with the malicious attachment is shown in Figure 2. It is disguised as an account confirmation request.”
  • [T1059.001] PowerShell – The malware uses PowerShell activities after loading; execution relies on PowerShell scripts. – “…begins to leverage PowerShell malicious activities.”
  • [T1027] Obfuscated/Compressed Files and Information – The main code is obfuscated with PYARMOR inside contain.pyc. – “the ‘PYARMOR’ string in its main code file ‘contain.pyc’, … is an obfuscating tool for Python script that makes the malware harder to be analyzed and detected.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM/Anti-Sandbox/Anti-Scanner checks are performed. – “Virtual environment and scanner/virtual machine checking”
  • [T1082] System Information Discovery – It checks system characteristics (model, hostname) to detect virtualization and other artifacts. – “checks the victim’s hostname against 187 names from VirusTotal machines or other scanner/virtual machines”
  • [T1105] Ingress Tool Transfer – Downloads three components from a remote host for data stealing. – “downloads three components from http://193[.]42[.]33[.]232 used for stealing data.”
  • [T1056.001] Keylogging – Confirms that Confirm.zip is a key logger storing data in KeyLogs. – “It is a key logger that saves data in the ‘KeyLogs’ folder.”
  • [T1125] Video Capture – MnMs.zip functions as a webcam extractor. – “webcam extractor”
  • [T1113] Screen Capture – It uses CopyFromScreen to capture a screenshot. – “CopyFromScreen to capture a screenshot.”
  • [T1555.003] Credentials from Web Browsers – It extracts cookies and browser data (and passwords). – “It can extract cookies from Google Chrome, Microsoft Edge, Opera, and Firefox. It also collects browser history and passwords…”
  • [T1048] Exfiltration Over Unencrypted/Obfuscated Non-C2 (FTP) – Data is uploaded to the attacker’s FTP server. – “uploads it to the attacker’s FTP server.”
  • [T1486] Data Encrypted for Impact – Kodex Ransomware encrypts files using 7za.exe and creates a ransom note. – “It leverages ‘7za.exe’ to encrypt files with the parameter ‘-p’… Kodex ransomware’s note”
  • [T1070.001] Clear Windows Event Logs – The malware includes a function to clear logs. – “Clear log”

Indicators of Compromise

  • [IP Address] – 45.87.81.184, 193.42.33.232 – Remote hosts used for data exfiltration/downloads
  • [File hash] – 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685, 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e and 5 more hashes

Read more: https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint