New All-in-One “EvilExtractor” Stealer Marketed on the Dark Web

EvilExtractor, a new stealer malware being marketed for sale, is enabling threat actors to steal data and files from Windows systems. Here’s what you need to know.

What is the situation?

In March 2023, Fortinet observed a surge in attacks spreading the stealer malware in the wild, primarily targeting victims in Europe and the U.S. Though advertised as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer.

The malicious software targets Windows systems and comprises seven attack modules that operate over FTP services: password and cookie extractor, screen and webcam extractor, credential extractor, keylogger, desktop extractor, all-in-one extractor (combining previous extractor options) and Kodex ransomware. Purchasers receive one month of access to an FTP server.

In October 2022, a user named “EvilExtractor” (also known as “Kodex”) from the underground forums Cracked and Nulled started selling EvilExtractor. The seller claims that, upon execution, each module of EvilExtractor adds itself to the Windows Defender exclusion list and runs silently in the background. The malware is said to be capable of UAC bypass. It also includes a binder and encrypter. Contrary to typical ransomware, Kodex Ransomware does not encrypt files; instead, it compresses them into a password-protected archive with a randomly generated 50-character key.

What is Nuspire doing?

Nuspire actively threat hunts in managed client environments for indications of compromise from EvilExtractor and other malware.

What should I do?

EvilExtractor is being used as a comprehensive infostealer with multiple malicious features, including ransomware. Organizations should be aware of this new infostealer and continue to be cautious about suspicious emails.

Organizations should implement next-gen endpoint protection with heuristics and behavioral analysis to detect beyond signature-based indicators.

Ensure that software installers and updates are only downloaded from known and trusted websites.

Users should have the lowest level of permissions needed to complete their duties within the organization.

It’s important to note that this vulnerability is separate the vRealize vulnerability published in our Jan. 25, 2023 threat brief.