search

SecOpsNews / news

RSS items as GitHub Issues for the discerning engineering leader or security professional
MIT License
33 stars 0 forks source link

[NETRESEC] EvilExtractor Network Forensics #13323

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiving commands from an operator through a command-and-control channel. The EvilExtractor creators market this feature as a “golden bullet”.

Real hackers don’t use reverse shells right? If you have only one bullet, would you waste with reverse shell? Try Evil Extractor to have golden bullet.

I downloaded the Evil Extractor capture file from Triage to a Windows Sandbox environment, to avoid accidentally infecting my computer when extracting artifacts from the PCAP. I then opened it up in the free version of NetworkMiner.

NetworkMiner shows that after checking its public IP on ipinfo.io EvilExtractor makes an unencrypted HTTP connection to a web server on 193.42.33.232 to download KK2023.zip. This zip archive contains a file called “Lst.exe” which is used to steal browser data, cookies and credentials according to Fortinet.

EvilExtractor HTTP Downloads

Image: Files downloaded from TCP port 80

Twenty seconds later an FTP connection is established to 89.116.53.55 on TCP port 21. The username and password used to authenticate to the FTP server was “u999382941” and “Test1234”.

EvilExtractor FTP CredentialsEvilExtractor FTP Requests

On the FTP server EvilExtractor creates a directory named after the country and hostname of the victim's PC, such as “(Sweden)DESKTOP-VV03LJ”, in which it creates the following three sub directories:

EvilExtractor FTP exfil of cookies and credentials

After uploading browser cookies, browser history and cached passwords from Chrome, Firefox and Edge to the “1-Password-Cookies” directory EvilExtractor sends a file called “Credentials.txt” to the “2-Credentials” directory. The contents of this text file looks something like this:

Public IP: [redacted]

Location: [lat],[long]

Computer Name: [redacted]

Username: Admin

RAM: 4 GB

OS Name: Microsoft Windows 10 Pro

OS Bit: 64-bit

Keyboard Language: en-US

GPU: [redacted]

CPU: Intel [redacted]

MAC Address: [redacted]

Extracted WIFI: [redacted]

The stealer also exfiltrates files with mpeg, docx, jpeg, pptx, zip, avi and rar extensions from the victim PC to the “3-Files” directory on the FTP server. The directory structure of the victim’s PC is maintained on the FTP server, so that files from the victim's desktop end up in a folder called “Desktop” on the FTP server.

EvilExtractor FTP exfil of files

The stealer later downloaded a keylogger module (Confirm.zip) and a webcam module (MnMs.zip), but no additional data was exfiltrated from this particular victim PC after that point.

IOC List

Users with an account on Triage can download the analyzed capture file from here: https://tria.ge/230424-vv9wvsfb2v/behavioral2

https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 1 day with no activity. Remove stale label or comment or this will be closed in 1 day.

github-actions[bot] commented 1 year ago

This issue was closed because it has been stale with no activity.