Mounting EvilExtractor malware activity observed in US, Europe

BleepingComputer reports that the U.S. and Europe have been facing more attacks distributing the EvilExtractor data-theft tool, with intrusions peaking last month, most of which involved a phishing campaign. Account confirmation request-masquerading phishing emails with a gzip-compressed Python executable appearing as a PDF or Dropbox file have been leveraged to commence the attack, according to a Fortinet report. Opening the attachment would prompt the execution of a PyInstaller file and the launch of a .NET loader that would facilitate EvilExtractor deployment. Numerous modules have also been observed in the EvilExtractor malware used in the attacks, with the data-stealing module found to download more Python components tasked with extracting browser cookies and other browsing data, logging keyboard inputs, and extracting webcam footage, the report showed. Researchers also found that the loader contains the Kodex ransomware, which facilitates the download of the "zzyy.zip" file that exploits 7-Zip to enable password-protected archive creation.