Windows PCs are currently under attack by a new “all-in-one” infostealer malware capable of stealing passwords and cookies, bypassing two-factor authentication and even installing ransomware on vulnerable computers.
According to a new report from Fortinet’s FortiGuard Labs, the EvilExtractor malware is currently being sold on hacking forums for other cybercriminals to use in their attacks. Unlike more expensive malware-as-a-service offerings, EvilExtractor can be had for just $39 and even though it’s new, the malware is already quite sophisticated.
Although EvilExtractor began being sold to hackers back in October of last year, Fortinet observed a surge in attacks used to distribute the malware in March of this year targeting users in the U.S. and Europe.
EvilExtractor is not a malware to write off, as The Hacker News notes that it’s continually updated and has a number of different modules designed to exfiltrate password and cookies from your browser as well as record keystrokes. However, it can even act like ransomware by encrypting files on an infected Windows PC.
All-in-one infostealer spread via phishing
Like other malware strains, EvilExtractor is being used in phishing campaigns designed to trick unsuspecting users into accidentally installing it on their Windows PCs.
The phishing emails used in this campaign try to lure recipients into launching an executable posing as a PDF document which contains their account info. To entice users into opening the malicious attachment contained in the email, the hackers behind this campaign have also given the decompressed file an Adobe PDF icon to make it appear more legitimate.
If a user does open the PDF, it contains a .NET loader that extracts the EvilExtractor malware. From here, the malware downloads additional components that it uses for stealing browser data as well as cookies from Google Chrome, Microsoft Edge, Opera and Firefox. To make matters worse, the malware also collects a user’s browser history along with their saved passwords.
EvilExtractor isn’t done there: it then proceeds to download files from a victim’s Windows PC that have the extensions jpg, png, jpeg, mp4, mpeg, mp3, avi, txt, rtf, xlsx, docx, pptx, pdf, rar, zip, 7z, csv, xml, and html. However, it also uses the command “CopyFromScreen” to take screenshots of the infected computer. This data could also be used for blackmail if it contains anything too sensitive.
Once all of this data has been collected, it is then uploaded to an FTP server controlled by the hackers behind the campaign. EvilExtractor’s creator also provides an FTP server for cybercriminals to use who have purchased the malware
How to stay safe from Windows malware
When it comes to staying safe from Windows malware and other cyber threats, you want to be extra careful when checking your inbox. Hackers and cybercriminals often use malicious attachments in emails as a means of spreading malware to unsuspecting users.
This is why you shouldn’t download any attachments or click on any links in emails from unknown senders. Likewise, if an email tries to instil a sense of urgency by giving you a deadline on when you have to take action, it’s probably best to ignore it and delete the message as it’s likely a phishing email.
To keep your PC protected from a malware infection, you should also install one of the best antivirus software solutions on your Windows computers. At the same time, you should ensure that Windows Defender is enabled and updated as Microsoft’s own free antivirus has gotten a lot better at detecting and stopping malware in recent years.
As EvilExtractor is being sold to hackers using a malware-as-a-service business model, this is likely not the last time we’ll hear about this malware. Especially as its creator continues to update the malware with new functionality and features.