Threat Research

eSentire Threat Intelligence Malware Analysis: Icarus Stealer

Securonix

First introduced in July 2022, Icarus Stealer is an infostealer that uses an hVNC capability to create a hidden desktop for covert navigation on infected machines. It packs a wide range of features (2FA bypass, rootkit, macros, VBS payloads, CCleaner, Bot Killer) and is sold at a cheaper price than rivals, making it accessible to less experienced threat actors. #IcarusStealer #hVNC #Discord #Telegram #CCleaner #BotKiller

Keypoints

  • Icarus Stealer debuted on hacking forums in July 2022 and includes a hidden-desktop capabilty via hVNC.
  • The malware is consistently updated with new features such as VBS payloads, Kill Bot, and CCleaner integration.
  • It offers numerous capabilities (2FA bypass, rootkit, encrypted connections, RunPE, macro, shellcode payload) that lower the barrier for misuse.
  • It is marketed as cheaper than Redline Stealer and Raccoon Stealer, aiding adoption by inexperienced criminals.
  • Distribution occurs through Telegram channels and other users, expanding its reach.
  • The analysis highlights extensive persistence, evasion, data exfiltration, and control features via the hVNC panel (Apps, Browsers, System, Recovery, Watcher, Kill WD, etc.).
  • eSentire’s TRU outlines detections, threat hunts, and recommended controls to mitigate Icarus Stealer.

MITRE Techniques

  • [T1055] Process Injection – The main stealer payload injects itself into cvtres.exe process. “The main stealer payload injects itself into cvtres.exe process”
  • [T1053.005] Scheduled Task – Persistence is achieved via scheduled tasks. “For Icarus Stealer the persistence is achieved via scheduled tasks.”
  • [T1546.010] AppInit DLLs – Persistence via AppInit DLLs for rootkit installation. “The persistence is achieved via AppInit DLLs.”
  • [T1546.015] CM Hijacking – Registry hijacking to point to the rootkit installer. “The Default value to point to the rootkit installer and DelegateExecute value to 0”
  • [T1036.004] Masquerading: Masquerade Task or Service – “The stealer can masquerade under svchost.exe.”
  • [T1622] Virtualization/Sandbox Evasion – Sandbox checks and anti-VM logic (Anti-VM). “sandbox checks – the stealer counts number of recently opened files… also checks if it’s running within VMWare on VirtualBox environments.”
  • [T1057] Process Discovery – The stealer performs process, application and host information discovery. “The stealer performs the process, application and host information discovery”
  • [T1082] System Information Discovery – System information discovery on the host. “System Information Discovery”
  • [T1518] Software Discovery – Software discovery of installed apps. “Software Discovery”
  • [T1555.003] Credentials from Web Browsers – Exfiltrates credentials from multiple browsers. “The stealer exfiltrates credentials from the following browsers”

Indicators of Compromise

  • [IP] main C2 server – 193.31.116[.]239 – used for command and control communications
  • [Hash] r77-x64.dll – 8d54e4abe1762f96134a0c874cfb8cdc – rootkit/installation module (example; two more hashes exist)
  • [Hash] r77-x86.dll – bf2ac81c25ebc55e88af9233c6c0e1b5 – rootkit/installation module (example; two more hashes exist)
  • [Hash] bb.jpg (Bot Killer) – 735ad7684fdb6230972cf600980c0392 – bot-killer payload (example; two more hashes exist)
  • [Hash] rt.jpg (rootkit) – f09903496c341436ce74625bbaafeb81 – rootkit binary (example; two more hashes exist)

Read more: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint