Inside the “Invoice.zip” archive file, there is a shortcut file named “INVOICE_MT103.lnk”. Figure 6 – Browser Redirecting to Download Compressed File The figure below illustrates the HTML page’s redirection process to the Discord URL to download “Invoice.zip”. Upon opening the phishing HTML page, users are instantly redirected to a Discord URL, initiating the download of a file named “Invoice.zip”. The figure below shows the phishing HTML page. The infection begins with a spam email with a deceptive HTML page designed to appear as an authentic refund invoice from GoDaddy, aiming to trick the recipients. Figure 4 – Increased Activity of Invicta Stealer The figure below shows the statistics of Invicta Stealer samples identified in the wild. Figure 3 – Invicta Stealer BuilderĬRIL has noticed a significant increase in the prevalence of the Invicta Stealer due to its builder availability on the GitHub page, leading to numerous TAs actively employing it to infect unsuspecting users. The figure below illustrates the Invicta Stealer builder. When running the builder executable, users are prompted to input a Discord webhook or server URL, which serves as the command and control (C&C) mechanism. The GitHub post includes a noteworthy detail: the malware developer generously offers a free stealer builder alongside the provided information. Figure 2 – GitHub Post of Invicta Stealer The GitHub post by the TA, illustrated in the figure below, highlights their active promotion of the Invicta Stealer and its functionalities. The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord. Figure 1 – Invicta Stealer Telegram ChannelĪdditionally, the TA has created a YouTube Channel where they demonstrate a video tutorial detailing the steps to create the Invicta Stealer executable using a builder tool available in the Github repository. The figure below shows the Telegram channel created by TAs to promote the stealer. The developer behind this malware is extensively engaged on social media platforms, utilizing them to promote their information stealer and its lethal capabilities. This pattern underscores the role of social media as a tool for connecting with like-minded individuals and facilitating the pursuit of lucrative cybercrime activities.Ĭyble Research and Intelligence Labs (CRIL) came across a new stealer named Invicta Stealer. The primary motivation behind such actions is to generate monetary gains or seek collaborations for engaging in highly profitable cyber-attacks. It is apparent from past evidence that threat actors (TAs) utilize social media platforms to demonstrate their technical expertise to attract potential allies or customers interested in acquiring or leasing malware families such as Stealers, Ransomware, RATs, and similar tools. Last edited by kapnobatai 04-05-2008 at 07:32 PM.Threat Actor Releases Free Builder to Boost Popularity and Inflict Damage So please a little help from my new friends here. If anything like this is possible or any other way without making him click links, or send me emails. And i'm thinking that it just might be somehow possible to 'do something. Doesnt it make it possible to somehow use that to find his IP? the checker is here. There is an invisible buddy checker for yahoo. But this works only if it clicks the link. And i thought it was possible to find it from Ymessenger. He says he's away, my old PC it's at his house and i wanna prove him that he lies too much. And i was searching for a tool to find his IP. I'M using this to get the ip from a friend of mine. But this is a really nice tool to find ip's.
0 Comments
Leave a Reply. |