Cybersecurity experts have discovered a stealer identified as Invicta Stealer whose creators are extensively active on social media platforms including Facebook and YouTube.
What's happening?
Cyble Research and Intelligence Labs (CRIL) researchers have spotted Invicta Stealer being advertised on Facebook to find prospective buyers.
- A GitHub post claims that malware developers are offering a free stealer builder. While running builder, users are asked to input a Discord webhook/server URL, which serves as the C2.
- Attackers also own a YouTube Channel where they show a tutorial with detailed steps on how to create the Invicta Stealer executable using a builder tool available in the Github repository.
Infection range
Invicta Stealer targets different products such as Discord, crypto wallets (e.g., Neon, Zcash, VERGE, WalletWasabi), browsers (e.g., Chromium, Yandex, Vivaldi, Opera Neon), steam, and KeyPass password manager.
Modus Operandi
For initial infection, a spam email is used with a fake HTML page mimicking an authentic refund invoice from GoDaddy.
- Opening the HTML page redirects users to a Discord URL, then download a file named Invoice[.]zip.
- The zip file includes a shortcut file, INVOICE_MT103[.]Ink. When opened, the .lnk file triggers a PowerShell script.
- Next, the PowerShell script downloads the Invicta Stealer, which is disguised as Invoice_MT103_Payment[.]exe.
Experts have spotted an increase in the use of the Invicta Stealer owing to the active promotion of the builder.
Conclusion
Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat. Therefore, it is very important that users stay alert whenever they receive an email from an unknown sender. Further, the usage of Data Loss Prevention (DLP) solutions in the employees’ systems is recommended.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1a64_shutterstock_1689176740.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/76d6_shutterstock_1099854977.jpg)
