EvilExtractor Phishing Campaign Targets Windows Users With PDFs And Dropbox Links

A new piece of Windows malware is making the rounds, but what else is new? You never want to fall victim to a malware campaign, but this one is particularly troublesome. EvilExtractor is billed as an "all-in-one" solution for your online criminal needs. With this one tool, a threat actor can monitor keystrokes, steal data, and lock down a Windows machine with ransomware. And it all starts with a seemingly innocuous PDF in a phishing email.

Security firm FortiGuard Labs has detailed the attack chain and capabilities of EvilExtractor, starting with the aforementioned PDF, which isn't actually a PDF. Attackers distribute the installer in an achieve, and once unpacked, the user finds what appears to be a PDF, but that icon is a lie, hiding the file's true role as an executable Python program packaged by PyInstaller. The file usually arrives by email, sometimes hidden by a Dropbox link. The code is obfuscated using PyArmor to make it harder for anti-malware to detect.

Once launched, EvilExtractor runs a series of tests to ensure it's not running in a virtual environment. Once it has confirmed the system is a valid target, the malware's primary code (a PowerShell script) swings into action to download the attack components. Among the EvilExtractor modules is a data stealer that can extract browser history and passwords from almost any modern browser (a common target of malware). It also loads a keylogger that monitors all typed input on the machine. Finally, it loads a module that uploads the stolen data to the attacker's FTP server.


Stealing data might be first on EvilExtractor's list of crimes, but it quickly moves on to even more devious activities. With the data exfiltration complete, there's no longer any reason for the malware to stay under the radar. It downloads a ransomware module known as Kodex, which then goes to work encrypting local files and then sends a confirmation screenshot to the command-and-control server. Users are greeted by a demand for $1,000 in Bitcoin in exchange for the 50-character decryption key, without which it is unlikely the files will ever be recovered.

FortiGuard says its anti-malware tools will now detect EvilExtractor, but it's only a matter of time until all security systems are updated. As always though, common sense remains your best weapon. Even if a mysterious attachment in your email appears to be harmless, you should never open it. Doing so is merely inviting disaster.