This blog post comes from the “Invicta Stealer Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.

Introduction

This report includes a general overview and technical analysis of Invicta Stealer. At the end of the report, the obtained Indicators of Compromise (IoCs) and the written YARA rule have been shared.

Executive Summary

Invicta Stealer is a malicious software designed to steal sensitive user information, with a focus on targeting Discord, wallets, and web browsers. It has gained attention due to its utilization of various techniques to evade detection and propagate its malicious activities.

The malware first emerged in April with the release of its builder on GitHub, allowing threat actors to easily customize and distribute instances of the malware. Invicta Stealer leverages syscalls and anti-analysis techniques to interact with the operating system at a low level, making it challenging for security solutions to detect and analyze its behavior.

Once deployed, Invicta Stealer exfiltrates a range of user data, including credentials, financial information, and browser-related data. It employs API hashing to obfuscate the names of Windows API functions it utilizes, further complicating its detection and analysis.

The builder, written in .NET, enables customization of the malware’s behavior by replacing the encrypted Command and Control (C2) URL address. Additionally, it utilizes AES encryption and Base64 encoding to encrypt and encode the C2 address within the patched binary.

Our Threat Research Team has prepared a Python script for the Invicta Stealer Command and Control Address dump.

INVICTA STEALER C2 EXTRACTOR

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “Invicta Stealer Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.