New EvilExtractor Malware for Windows Systems Discovered on Dark Web
A new malware called EvilExtractor (also spelled Evil Extractor) has been discovered on the dark web, and it is being sold to cybercriminals to steal data and files from Windows systems. The malware is marketed as an educational tool, but it has been adopted by threat actors as an information stealer. The malware includes several modules that work via an FTP service, with environment checking and Anti-VM functions. Its primary purpose is to steal browser data and information from compromised endpoints and upload it to the attacker's FTP server. The malware can also record keystrokes, activate webcams, and capture screenshots. EvilExtractor has been observed spreading in the wild since March 2023, with most victims located in Europe and the US. It has been sold on cybercrime forums since October 22, 2022, and is continually updated to pack in various modules to siphon system metadata, passwords, and cookies from various web browsers, and even act as ransomware by encrypting files on the target system. In addition to phishing email campaigns, EvilExtractor has been used as part of a malvertising and SEO poisoning campaign to deliver the Bumblebee malware loader via trojanized installers of legitimate software. To mitigate these threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites, and users should not have privileges to install software and run scripts on their computers.