This week, Lee Archinal, the Threat Bounty Program contributor posted a community Sigma rule for detecting yet another infostealer. The “Immortal Stealer (Sysmon Behavior)” rule is available for download in the Threat Detection Marketplace after registration: https://tdm.socprime.com/tdm/info/V0Q03WX81XBY/dEM_SXQBSh4W_EKGVbX_/?p=1
Immortal Infostealer appeared a little over a year ago on the dark web forums with different build-based subscriptions. This is a common malware written in .NET that is designed to steal saved login credentials and credit card data, cookie files, and autofill data. Just after infection, the malware creates a directory with a random name in a temp folder.
Immortal Stealer is capable of extracting data from 24 browsers, stealing session-related files from Telegram and Discord, copying files related to cryptocurrency wallet software, and taking screenshots of the desktop. When the “job” is done, the malware compresses stolen data into a ZIP archive, exfiltrates it to the command-and-control server, and attempts to delete traces of the malicious activity.
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Defense Evasion
Techniques: File Deletion (T1107), Modify Registry (T1112)