SYMBOLCOMMON_NAMEaka. SYNONYMS
win.iconic_stealer (Back to overview)

IconicStealer

Actor(s): Lazarus Group

VTCollection    

Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library.

References
2023-04-20MandiantADRIAN SANCHEZ, DANIEL SCOTT, Dimiter Andonov, Fred Plan, Jake Nicastro, JEFF JOHNSON, Marius Fodoreanu, RENATO FONTANA
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
POOLRAT IconicStealer UNC4736
2023-04-20ESET ResearchMarc-Etienne M.Léveillé, Peter Kálnai
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL SimpleTea POOLRAT 3CX Backdoor BADCALL IconicStealer
2023-03-30VolexityAnkur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer
2023-03-30Trend MicroTrend Micro Research
Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer
2023-03-30SymantecThreat Hunter Team
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer
Yara Rules
[TLP:WHITE] win_iconic_stealer_auto (20230808 | Detects win.iconic_stealer.)
rule win_iconic_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.iconic_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4c8b13 4c8d05e6c60300 488bc6 488bce 83e03f 48c1f906 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4c8b13               | mov                 ecx, eax
            //   4c8d05e6c60300       | inc                 ecx
            //   488bc6               | mov                 eax, eax
            //   488bce               | and                 eax, 0xff00
            //   83e03f               | shl                 ecx, 0x10
            //   48c1f906             | inc                 esp

        $sequence_1 = { eb29 488d0c76 8d4601 898790000000 488b8788000000 c704c876000000 8954c804 }
            // n = 7, score = 100
            //   eb29                 | test                eax, eax
            //   488d0c76             | je                  0xbdd
            //   8d4601               | dec                 esp
            //   898790000000         | mov                 eax, eax
            //   488b8788000000       | inc                 esp
            //   c704c876000000       | mov                 dword ptr [eax + ecx*8 + 8], eax
            //   8954c804             | mov                 dword ptr [eax + ecx*8 + 0xc], edx

        $sequence_2 = { 894338 66897318 66894b3e 6644896316 6644894b3c 663bf1 0f85dc000000 }
            // n = 7, score = 100
            //   894338               | mov                 dword ptr [eax], ecx
            //   66897318             | inc                 ebp
            //   66894b3e             | movzx               eax, ah
            //   6644896316           | dec                 eax
            //   6644894b3c           | mov                 ecx, dword ptr [ebp - 0x20]
            //   663bf1               | dec                 eax
            //   0f85dc000000         | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_3 = { e8???????? 4881c430020000 415f 415d 415c 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4881c430020000       | inc                 ecx
            //   415f                 | mov                 ebp, ecx
            //   415d                 | jmp                 0x438
            //   415c                 | inc                 esp
            //   5f                   | mov                 dword ptr [ecx], ecx
            //   5e                   | dec                 eax

        $sequence_4 = { 5f 5e 5d c3 40f6c504 7419 4c8bc7 }
            // n = 7, score = 100
            //   5f                   | mov                 eax, edi
            //   5e                   | sar                 eax, 1
            //   5d                   | dec                 esp
            //   c3                   | arpl                ax, dx
            //   40f6c504             | dec                 ebx
            //   7419                 | lea                 edx, [edx + edx*2]
            //   4c8bc7               | dec                 ebp

        $sequence_5 = { eb05 b901000000 894f28 4885db 741f 8b4f28 48895f10 }
            // n = 7, score = 100
            //   eb05                 | cmp                 byte ptr [ecx + 0x3f], ch
            //   b901000000           | jne                 0x6a2
            //   894f28               | dec                 eax
            //   4885db               | mov                 ecx, dword ptr [eax]
            //   741f                 | lea                 edx, [ebp + 4]
            //   8b4f28               | dec                 esp
            //   48895f10             | mov                 edi, eax

        $sequence_6 = { f2490f2ad5 488d4dc7 f20f5e15???????? 66490f7ed0 e8???????? e9???????? 448b44242c }
            // n = 7, score = 100
            //   f2490f2ad5           | mov                 dword ptr [esp + 0x34], esi
            //   488d4dc7             | dec                 eax
            //   f20f5e15????????     |                     
            //   66490f7ed0           | mov                 ecx, dword ptr [ebx + 0x70]
            //   e8????????           |                     
            //   e9????????           |                     
            //   448b44242c           | test                byte ptr [ecx + 0x34], 4

        $sequence_7 = { ffc7 4883c108 3bfa 7cf1 e9???????? 488b4b20 4885c9 }
            // n = 7, score = 100
            //   ffc7                 | dec                 eax
            //   4883c108             | mov                 ecx, dword ptr [esp + 0xa0]
            //   3bfa                 | dec                 eax
            //   7cf1                 | mov                 eax, dword ptr [esp + 0xa8]
            //   e9????????           |                     
            //   488b4b20             | dec                 eax
            //   4885c9               | test                eax, eax

        $sequence_8 = { e9???????? 488b75a8 4c8b442470 8b06 83c003 413b00 7e1f }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b75a8             | cmp                 ecx, eax
            //   4c8b442470           | jne                 0x13cd
            //   8b06                 | test                ecx, ecx
            //   83c003               | jne                 0x13e6
            //   413b00               | test                ebx, ebx
            //   7e1f                 | js                  0x1421

        $sequence_9 = { c7430400000000 41ba1f000000 49bb1142082184104208 418b49f8 85c9 745b 8d4701 }
            // n = 7, score = 100
            //   c7430400000000       | inc                 ecx
            //   41ba1f000000         | cmp                 dword ptr [eax], ecx
            //   49bb1142082184104208     | inc    ecx
            //   418b49f8             | mov                 eax, dword ptr [edi + 0x7c]
            //   85c9                 | bt                  eax, edi
            //   745b                 | jb                  0xd43
            //   8d4701               | bts                 eax, edi

    condition:
        7 of them and filesize < 2401280
}
[TLP:WHITE] win_iconicstealer_w0    (20230331 | Detect the ICONICSTEALER malware family.)
rule win_iconicstealer_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detect the ICONICSTEALER malware family."
        hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 1
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $str1 = "\\3CXDesktopApp\\config.json" wide
        $str2 = "url, title FROM urls" wide
        $str3 = "url, title FROM moz_places" wide

    condition:
        all of them
}
Download all Yara Rules