The attack tool known as Evil Extractor and developed by a company called Kodex as an “educational tool,” has been used by threat actors to target Windows-based machines.
The claims come from Fortinet security researchers and were described in an advisory published on Thursday.
“[We] observed this malware in a phishing email campaign [disguised as account confirmation requests] on 30 March, which we traced back to the samples included in this blog. It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities,” the company wrote.
Read more on phishing malware here: DEV-1101 Updates Open Source Phishing Kit
Evil Extractor operates through several modules that rely on a File Transfer Protocol (FTP) service.
Further, Evil Extractor contains environment checking as well as anti-virtual machine (VM) and VirusTotal capabilities designed to avoid detection. The malware also has a ransomware function called “Kodex Ransomware.”
“We recently reviewed a version of the malware that was injected into a victim’s system and, as part of that analysis, identified that most of its victims are located in Europe and America,” Fortinet explained.
According to the advisory, the developer released the malware in October 2022 and kept updating it to increase its stability and strengthen its malicious capabilities.
“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor,” reads the technical write-up. “Users should be aware of this new info stealer and continue to be cautious about suspicious mail.”
The publication of the advisory, which also included indicators of compromise for the malware, comes weeks after Open Text Cybersecurity experts warned against a substantial surge in HTTPS phishing sites.