Evil Extractor malware targets Windows devices to steal data

ID theft
(Image credit: Future)

Experts have detected a dangerous new malware strain making rounds on the internet, stealing victim's sensitive data, and in some cases, even deploying ransomware as well. 

The malware, dubbed Evil Extractor, was discovered by cybersecurity researchers at Fortinet, who published their findings in a blog post, noting it was developed and distributed by a company called Kodex, and is being advertised as an “educational tool”.

“FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced back to the samples included in this blog,” the researchers said. “It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities.” 

Avoiding detection

These malicious activities include an environment-analysis tool, and an infostealer. That way, the malware would first make sure it’s not being deployed in a honeypot, before grabbing as much sensitive information from the endpoint as it can and sending it to the threat actor’s FTP server. It also sports ransomware capabilities. 

Called Kodex Ransomware, the tool downloads zzyy.zip from evilextractor[.]com, which carries 7za.exe, an executable that encrypts files with the parameter “-p”, meaning the files get zipped with a password. 

As usual, the malware then leaves a ransom note, demanding $1,000 in Bitcoin, in exchange for the decryption key. “Otherwise, you cannot reach your files forever”, the message reads. 

The malware mostly targets victims in the West, it was said. “We recently reviewed a version of the malware that was injected into a victim’s system and, as part of that analysis, identified that most of its victims are located in Europe and America,” Fortinet claims.

We don’t know if the operators managed to successfully deploy the ransomware anywhere, or how many victims they might have had until today. 

Via: Infosecurity Magazine

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.