Immortal Stealer

This week, Lee Archinal, the Threat Bounty Program contributor posted a community Sigma rule for detecting yet another infostealer. The “Immortal Stealer (Sysmon Behavior)” rule is available for download in the Threat Detection Marketplace after registration: https://tdm.socprime.com/tdm/info/V0Q03WX81XBY/dEM_SXQBSh4W_EKGVbX_/?p=1

Immortal Infostealer appeared a little over a year ago on the dark web forums with different build-based subscriptions. This is a common malware written in .NET that is designed to steal saved login credentials and credit card data, cookie files, and autofill data. Just after infection, the malware creates a directory with a random name in a temp folder. 

Immortal Stealer is capable of extracting data from 24 browsers, stealing session-related files from Telegram and Discord, copying files related to cryptocurrency wallet software, and taking screenshots of the desktop. When the “job” is done, the malware compresses stolen data into a ZIP archive, exfiltrates it to the command-and-control server, and attempts to delete traces of the malicious activity.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Defense Evasion

Techniques: File Deletion (T1107), Modify Registry (T1112)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.