SYMBOLCOMMON_NAMEaka. SYNONYMS
win.iconic_stealer (Back to overview)

IconicStealer

Actor(s): Lazarus Group

Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library.

References
2023-04-20ESET ResearchPeter Kálnai, Marc-Etienne M.Léveillé
@online{klnai:20230420:linux:fd293b6, author = {Peter Kálnai and Marc-Etienne M.Léveillé}, title = {{Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack}}, date = {2023-04-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack}, language = {English}, urldate = {2023-04-25} } Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL 3CX Backdoor BADCALL IconicStealer
2023-04-20MandiantJEFF JOHNSON, Fred Plan, ADRIAN SANCHEZ, RENATO FONTANA, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, DANIEL SCOTT
@online{johnson:20230420:3cx:9ef2c90, author = {JEFF JOHNSON and Fred Plan and ADRIAN SANCHEZ and RENATO FONTANA and Jake Nicastro and Dimiter Andonov and Marius Fodoreanu and DANIEL SCOTT}, title = {{3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible}}, date = {2023-04-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise}, language = {English}, urldate = {2023-04-25} } 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
POOLRAT IconicStealer
2023-03-30Trend MicroTrend Micro Research
@online{research:20230330:developing:2895b8a, author = {Trend Micro Research}, title = {{Developing Story: Information on Attacks Involving 3CX Desktop App}}, date = {2023-03-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html}, language = {English}, urldate = {2023-04-02} } Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer
2023-03-30VolexityAnkur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
@online{saini:20230330:3cx:82b291e, author = {Ankur Saini and Callum Roxan and Charlie Gardner and Paul Rascagnères and Steven Adair and Thomas Lancaster}, title = {{3CX Supply Chain Compromise Leads to ICONIC Incident}}, date = {2023-03-30}, organization = {Volexity}, url = {https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/}, language = {English}, urldate = {2023-03-30} } 3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer
2023-03-30SymantecThreat Hunter Team
@online{team:20230330:3cx:fb5b214, author = {Threat Hunter Team}, title = {{3CX: Supply Chain Attack Affects Thousands of Users Worldwide}}, date = {2023-03-30}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack}, language = {English}, urldate = {2023-04-02} } 3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer
Yara Rules
[TLP:WHITE] win_iconic_stealer_auto (20230715 | Detects win.iconic_stealer.)
rule win_iconic_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.iconic_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488bd0 4885c0 7450 85db 7e32 488bc8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bd0               | dec                 ecx
            //   4885c0               | mov                 ecx, dword ptr [edi + ebx*8]
            //   7450                 | dec                 eax
            //   85db                 | test                ecx, ecx
            //   7e32                 | inc                 ecx
            //   488bc8               | mov                 ebx, ebp

        $sequence_1 = { bab4000000 e8???????? 4c8bc0 e9???????? 4533c9 4533c0 bab4000000 }
            // n = 7, score = 100
            //   bab4000000           | mov                 dword ptr [esp + 0x38], eax
            //   e8????????           |                     
            //   4c8bc0               | mov                 edi, dword ptr [ecx + 0x30]
            //   e9????????           |                     
            //   4533c9               | inc                 esp
            //   4533c0               | mov                 esi, edx
            //   bab4000000           | inc                 ecx

        $sequence_2 = { 8bd7 488bcb e8???????? eb0d 488b4328 668363142d 48894308 }
            // n = 7, score = 100
            //   8bd7                 | cmp                 bh, 2
            //   488bcb               | jne                 0xd4b
            //   e8????????           |                     
            //   eb0d                 | dec                 eax
            //   488b4328             | mov                 eax, dword ptr [ebx]
            //   668363142d           | jmp                 0xd4e
            //   48894308             | dec                 esp

        $sequence_3 = { c744c80805000000 448944c80c 4c894cc810 488b03 8b9390000000 80786700 7409 }
            // n = 7, score = 100
            //   c744c80805000000     | mov                 dword ptr [esi + 2], eax
            //   448944c80c           | dec                 eax
            //   4c894cc810           | mov                 edx, dword ptr [esi + 0x68]
            //   488b03               | dec                 ecx
            //   8b9390000000         | mov                 dword ptr [esi + 0x68], eax
            //   80786700             | dec                 eax
            //   7409                 | lea                 edi, [esp + 0x80]

        $sequence_4 = { bf05000000 8bc7 488b8d60010000 4833cc e8???????? 4c8d9c2470020000 498b5b18 }
            // n = 7, score = 100
            //   bf05000000           | sub                 esp, 0x30
            //   8bc7                 | dec                 esp
            //   488b8d60010000       | mov                 ebp, dword ptr [ecx]
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4c8d9c2470020000     | mov                 esi, ecx
            //   498b5b18             | dec                 ebp

        $sequence_5 = { e8???????? 488bf8 4885c0 0f8411010000 0f57c0 33c0 0f1107 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bf8               | shl                 ecx, 8
            //   4885c0               | inc                 ecx
            //   0f8411010000         | mov                 esi, esp
            //   0f57c0               | inc                 ebp
            //   33c0                 | test                esi, esi
            //   0f1107               | je                  0xad4

        $sequence_6 = { c3 48f7da 781d 4d85c0 7e33 48b8ffffffffffffff7f 492bc0 }
            // n = 7, score = 100
            //   c3                   | dec                 esp
            //   48f7da               | mov                 esi, dword ptr [ebx + 0x38]
            //   781d                 | inc                 ecx
            //   4d85c0               | pop                 edi
            //   7e33                 | inc                 ecx
            //   48b8ffffffffffffff7f     | pop    esi
            //   492bc0               | inc                 ecx

        $sequence_7 = { c60741 e9???????? 6685c2 0f854c010000 488b01 488b6818 6644854912 }
            // n = 7, score = 100
            //   c60741               | dec                 ecx
            //   e9????????           |                     
            //   6685c2               | mov                 eax, dword ptr [edi]
            //   0f854c010000         | inc                 ecx
            //   488b01               | cmp                 byte ptr [edi + 0x12c], 2
            //   488b6818             | jae                 0x1981
            //   6644854912           | dec                 ecx

        $sequence_8 = { eb38 4885f6 740f ba40000000 488bce e8???????? eb0a }
            // n = 7, score = 100
            //   eb38                 | inc                 esp
            //   4885f6               | mov                 byte ptr [esi + 0x58], bh
            //   740f                 | inc                 esp
            //   ba40000000           | mov                 dword ptr [esi + 0x50], edi
            //   488bce               | inc                 esp
            //   e8????????           |                     
            //   eb0a                 | mov                 dword ptr [esi + 8], edi

        $sequence_9 = { c7452801000000 e9???????? ba48000000 498bcc e8???????? 488bf8 4885c0 }
            // n = 7, score = 100
            //   c7452801000000       | inc                 ecx
            //   e9????????           |                     
            //   ba48000000           | mov                 eax, dword ptr [esi + 0x38]
            //   498bcc               | lea                 ecx, [eax + 1]
            //   e8????????           |                     
            //   488bf8               | add                 eax, esi
            //   4885c0               | inc                 ecx

    condition:
        7 of them and filesize < 2401280
}
[TLP:WHITE] win_iconicstealer_w0    (20230331 | Detect the ICONICSTEALER malware family.)
rule win_iconicstealer_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detect the ICONICSTEALER malware family."
        hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 1
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $str1 = "\\3CXDesktopApp\\config.json" wide
        $str2 = "url, title FROM urls" wide
        $str3 = "url, title FROM moz_places" wide

    condition:
        all of them
}
Download all Yara Rules