Threat Research

Cyble – Invicta Stealer Spreading Through Phony GoDaddy Refund Invoices

Securonix

Cyble Research and Intelligence Labs (CRIL) uncovered Invicta Stealer, promoted via social platforms with a free builder on GitHub to amplify reach. The malware targets browsers, wallets, gaming apps, and password managers, exfiltrating data through a Discord-based C2 and other delivery chains tied to phony GoDaddy refund invoices.

Keypoints

  • Invicta Stealer is a newly identified information stealer aggressively promoted by threat actors on social media and messaging platforms.
  • A GitHub-based free builder enables users to create Invicta Stealer payloads with a Discord webhook/server URL used as the C2 channel.

MITRE Techniques

  • [T1204] User Execution – “When running the builder executable, users are prompted to input a Discord webhook or server URL, which serves as the command and control (C&C) mechanism.”
  • [T1027] Obfuscated Files or Information – “The stealer employs encrypted strings to conceal important information, and crucial operations are executed using SYSCALLS.”
  • [T1528, T1555] Steal Application Access Token / Credentials from Password Stores – “The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord.”
  • [T1010, T1083] Application Window Discovery / File and Directory Discovery – “enumerates three specific paths within the system … C:UsersAppDataRoamingdiscordLocal Storageleveldb”
  • [T1005] Data from Local System – “collects an extensive array of system information… The data is consolidated into ‘sys_info.txt’.”
  • [T1071] Application Layer Protocol – “Discord webhook or server URL … serves as the command and control (C&C) mechanism.”

Indicators of Compromise

  • [Hash] MD5/SHA1/SHA256 – a48d1ff9c016484b3cac152d8d7105f4, ffdefa66bb8d00493e160cac67f8763566010c2c (Malicious Phishing html)
  • [Hash] MD5/SHA1/SHA256 – db50086280878a064a1b5ccc61888bcd, eda3a5b8ec86dd5741786ed791d43698bb92a262 (Invoice.zip)
  • [Hash] MD5/SHA1/SHA256 – 594a86d0fa8711e48066b1852ad13ac6, 35b840640e6a3c53a6ba0c6efa1a19a061f5c104 (Shortcut Link File)
  • [Hash] MD5/SHA1/SHA256 – a05d09177ff0cc866a4e7993f466564a, 60182b39f64936365ab1bdb2954cbcbb626a0e1e (Malicious HTA File)
  • [Hash] MD5/SHA1/SHA256 – cff3ed52f607f1f440f1c034dc2b0cfb, 8b0d53f62ebb9aa3b12661da449d2e7a87dc6779 (Invicta Stealer Executable)
  • [Hash] MD5/SHA1/SHA256 – 1ca928016f030604c40a1567519d3dd0, 37337edafb7d4c1ff9a0b0787d09e2aea70d42f3 (Invicta Stealer Executable)

Read more: https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint