The discovery of a new infostealer named ‘Invicta Stealer’ has raised concerns among cybersecurity experts. The developer of the Invicta Stealer is using Facebook, YouTube, and GitHub to connect with buyers and promote the malware. The developer has also offered a free stealer builder to increase popularity and attract buyers. Several instances of using the malware have been found due to its builder availability on GitHub.
Users are sent a spam email with an HTML page attached to it. The HTML page presents itself as a refund invoice from GoDaddy. When a user opens the fraudulent refund HTML page, a Discord page is opened, leading the user to download a file named Invoice.zip. The zip file contains a shortcut file named INVOICE_MT103.Ink. It requires the user to open the .lnk file, which triggers a PowerShell command.
Researchers from the Cyble Research & Intelligence Labs analyzed a 64-bit GUI binary of the Invicta stealer from the wild. They found that it has encrypted strings to hide its information and employs SYSCALLS for its operations. It uses multithreading to perform multiple tasks simultaneously. To steal data, the malware collects system and hardware data to know the location of the target, their time zone, and the language of the system.
The hardware data it requires include main memory size, number of CPU cores, screen resolution, hardware ID, IP address, and Geo IP data. The Invicta stealer also steals sensitive system information such as computer name, system username, time zone, and language, operating system version, names of running processes, and hardware data. After the collection of all the data from the system, it temporarily stores it in the system’s memory.
Invicta creates a compressed zip file with a random name, and the hardware ID is used for the file name. The file is sent to the C&C server or Discord webhook used by the hacker to create further attacks such as stealing money from wallets and banks, and creating more relevant phishing emails with the target’s data.
The information stealer is equipped to steal data from most locations of a system, which makes it important to be detected and avoided at the first glance of a phishing email. Hackers use catchy subjects such as refunds to make users think it’s about an incoming credit. The seller of the Invicta stealer wrote on Facebook that the developer would create a cheap subscription (up to $50-80 per month) that would feature a web panel and asked if users would use the product.
Lower subscription prices compared to competitors, combined with easy-to-use builder tools, make it easier for novice hackers to launch cyberattacks. The low cost and ease of access can also increase the number of attacks taking place. Invicta Stealer targets not only browsers but also gaming applications like Steam and password managers like the KeyPass password manager.
Invicta Stealer is the latest in a series of information-stealing malware. Its discovery highlights the need for companies to encourage cybersecurity education and awareness among employees. Experts warn that phishing emails are a serious cybersecurity threat and should not be taken lightly. Vigilance and awareness among employees could help reduce the risks associated with malware attacks.