While marketed as a legitimate tool, BleepingComputer was told that EvilExtractor is primarily promoted to threat actors on hacking forums.
In the wild detections indicate that EvilExtractor is gaining traction in the cybercrime community, so users are advised to remain vigilant against unsolicited emails.
EvilExtractor malware activity spikes in Europe and the U.S.
"Researchers are seeing a rise in attacks spreading the EvilExtractor data theft tool, used to steal users' sensitive data in Europe and the U.S.
EvilExtractor is sold by a company named Kodex for $59/month, featuring seven attack modules, including ransomware, credential extraction, and Windows Defender bypassing.
While marketed as a legitimate tool, BleepingComputer was told that EvilExtractor is primarily promoted to threat actors on hacking forums.
"Recorded Future first observed Evil Extractor being sold on the Cracked and Nulled forums in October of 2022," Allan Liska, a threat intelligence analyst at Recorded Future, told BleepingComputer.
Other security researchers have also been monitoring the development and malicious attacks using Evil Extractor, sharing their findings on Twitter since February 2022.
Fortinet reports that cybercriminals use EvilExtractor as an information-stealing malware in the wild.
Based on attack stats collected by the cybersecurity company, the deployment of EvilExtraactor spiked in March 2023, with most infections coming from a linked phishing campaign. . ."
READ MORE
Critical infrastructure also hit by supply chain attack behind 3CX breach
"The X_Trader software supply chain attack that led to last month's 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec's Threat Hunter Team.
North Korean-backed threat group linked to the Trading Technologies and 3CX attacks used a trojanized installer for X_Trader software to deploy the VEILEDSIGNAL multi-stage modular backdoor onto victims' systems.
Once installed, the malware could execute malicious shellcode or inject a communication module into Chrome, Firefox, or Edge processes running on compromised systems. . ."
READ MORE
Google ads push BumbleBee malware used by ransomware gangs
"The enterprise-targeting Bumblebee malware is distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.
Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.
In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.
Researchers at Secureworks have recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver the malware loader to unsuspecting victims.
Hiding in popular apps
One of the campaigns seen by SecureWorks started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023, and hosted on an "appcisco[.]com" domain.
"An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site," explains SecureWorks' report.
This fake landing page promoted a trojanized MSI installer named "cisco-anyconnect-4_9_0195.msi" that installs the BumbleBee malware.
Upon execution, a copy of the legitimate program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the user's computer.
The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion.
However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.
"The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script," explains Secureworks.
"It also contains an encoded Bumblebee malware payload that it reflectively loads into memory."
This means that Bumblebee still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products.
✓ Secureworks found other software packages with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.
A path to ransomware
Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.
Secureworks examined one of the recent Bumblebee attacks closely. They found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection.
The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.
This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware."
.png)
Related Articles:
PureCrypter malware hits govt orgs with ransomware, info-stealers
Typhon info-stealing malware devs upgrade evasion capabilities
BlackGuard stealer now targets 57 crypto wallets, extensions
Adobe Acrobat Sign abused to push Redline info-stealing malware
New S1deload Stealer malware hijacks Youtube, Facebook accounts
No comments:
Post a Comment