Mastodawn

Network forensics of an #EvilExtractor execution.
🔥 193.42.33.232:80 (payload delivery)
🔥 89.116.53.55:21 (FTP exfil)
https://netresec.com/?b=2342891

EvilExtractor Network Forensics

I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim's computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiv[...]

Netresec

Show thread

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Apr 26, 2023

Use this regex to match the #EvilExtractor FTP exfil traffic:
MKD $[a-zA-Z ]+$[a-zA-Z0-9-]+\/1-Password-Cookies

Show thread

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Apr 26, 2023

Here's a #Wireshark display filter that matches this FTP command:
ftp.request.command == "MKD" and ftp.request.arg matches "^\$[a-zA-Z ]+\$[a-zA-Z0-9-]+\\/1-Password-Cookies$"