Experts have discovered a hazardous new malware strain that is circulating the internet, stealing sensitive data from victims and, in some cases, installing ransomware as well.
The malware, dubbed Evil Extractor, was found by Fortinet cybersecurity experts, who published their findings in a blog post, noting that it was produced and disseminated by a business called Kodex and was marketed as a "educational tool."
“FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced back to the samples included in this blog,” the researchers said. “It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities.”
An environment-analysis tool and an info stealer are among the harmful actions. As a result, the malware would first check to ensure that it is not being planted in a honeypot before capturing as much sensitive data from the endpoint as possible and transferring it to the threat actor's FTP server. It is also capable of encrypting data.
The tool, known as Kodex Ransomware, downloads zzyy.zip from evilextractor[.]com, which contains 7za.exe, an executable that encrypts data using the argument "-p," which means the files are zipped with a password.
The malware then sends a ransom note asking $1,000 in Bitcoin in exchange for the decryption key, as is customary. "Otherwise, you will be unable to access your files indefinitely," the notification states. According to reports, the malware mostly targets people in the Western world.
"We recently reviewed a version of the malware that was injected into a victim's system and, as part of that analysis, identified that most of its victims are located in Europe and America," Fortinet states.
It's not known if the operators were successful in spreading the ransomware or how many victims they impacted.