A phishing campaign that launched in March and is actively targeting Microsoft operating system users in Europe and the US is making the rounds, using the EvilExtractor tool as its weapon of choice.
Research this week from FortiGuard Labs details the EvilExtractor attack chain, explaining that it usually starts with a legitimate-seeming Adobe PDF or Dropbox link, which instead deploy a malicious PowerShell when opened or clicked, before eventually leading to the modular EvilExtractor malware.
"Its primary purpose seems to be to steal browser data and information from compromised endpoints, and then upload it to the attacker’s FTP server," FortiGuard Labs researchers wrote.
The report points out that EvilExtractor was first developed by Kodex, which claimed that, despite its obvious name, it's used as an "educational tool,' according to the EvilExtractor report. "However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info-stealer."