GoDaddy Refund Phishing Emails Spread Infostealer

Godaddy Refund Phishing Scam
Refunds from GoDaddy became a new disguise for hackers

Hackers started using GoDaddy Refund Emails as a disguise to trick the users into installing malware. In order to deploy the payload, they opted for a particularly new tactic or, well, combination of ones. As a payload, a unique free open-source Invicta Stealer is used.

GoDaddy Refund Email Phishing

Being a widely popular web hosting provider, GoDaddy obviously has a line of different options for money chargebacks. Some people are not happy with how the service works, some people want to cancel the domain parking or hosting due to personal reasons – refund emails are typical for such requests. This is where hackers decided to take inspiration from.

Random users started receiving emails with the topic set as “GoDaddy Refund”. It touched even ones who have never ever interacted with the company and its services. There were no reported cases of using compromised emails that belong to GoDaddy. These emails contain a pretty standard notification about the incoming refund and the link to a page “where you can get the refund details”. Obviously, even when a person is new to GoDaddy, they will most likely be eager to check it up. This link leads to a page that, once again, repeats a genuine one used by the company to share documents.

GoDaddy Refund Email Phishing page
Phishing page that redirects to a malware downloading

The page, however, does not start a direct download, and instead redirects the victim to a Discord URL, where the .zip archive is downloaded. This archive contains an .lnk file, disguised as a PDF document, which launches the PowerShell script. The latter initiates downloading and running the Invicta stealer.

.lnk file Invicta stealer
Properties of the .lnk file that downloads Invicta stealer

Invicta Stealer Description

Invicta is a pretty unique example of an infostealer. By default, it is free and open-source, meaning that its source code is available to the public on GitHub. Another malware with similar philosophy is HiddenTear ransomware – one in its kind as well. Though in the Telegram group where the stealer developers are promoting their stealer, there are the offers to purchase the web panel access for $50.

Invicta stealer telegram
Telegram community that promotes Invicta Stealer

However, other details of Invicta are way less unusual. Same as other modern-time stealers, it applies several anti-analysis and anti-detection tricks upon execution. Then, it routinely starts with grabbing Discord and Steam session tokens and crypto wallets information. The latter is collected only from desktop apps, while most of other stealers will also aim at browser extensions as well. Browsers are treated separately: malware takes every piece of a file that can contain valuable information. It also can target the KeyPass password manager app – less common, but still expected capability.

Targeted browsers and cryptowallets

Click to expand

List of targeted web browsers

BraveSoftware Amigo Chedot
Citrio Sputnik ChromePlus
Uran Epic Privacy Browser Blisk
Opera Stable Google Chrome Coowon
Orbitum Elements Browser 360Browser
Microsoft Edge Torch Yandex
CocCoc Browser liebao Vivaldi
Sleipnir Opera Neon QIP Surf
7Star Comodo Dragon Kometa
Chromium CentBrowser Iridium

List of targeted cryptocurrency wallets

Neon neblio Guarda
Coinomi CloakCoin Electrum-LTC
ark-desktop-wallet WalletWasabi Litecoin
Zcash Exodus Bitcoin
Dogecoin ElectrumG Electrum-Smart
Nano Wallet Desktop Armory Exodus Eden
VERGE atomic scatter
Electrum MultiBitHD com.liberty.jaxx
Binance Daedalus Mainnet

Aside from passwords and session tokens, Invicta stealer gathers some trivial information regarding the system. It is a system screen size, CPU count, OS version and build, HWID, time zone and username. Malware can also gather other data when receiving a corresponding command – for example, enumerate users and installed programs. That data is commonly used to fingerprint the system, but can also be useful to emulate the victim’s system for more precise session hijacks.

How to protect yourself?

Here, two vectors of protection may be applied. First is proactive – the counteraction to email spam and phishing pages on the Web. Another one is rather a second line of defence – the one which protects against the spyware/stealer payload.

Pay attention to emails you’re opening. Most of the time, they are harmless – but that is what hackers want you to think. If you’ve received an email which you do not expect to receive, or its contents are not typical to what the sender typically sends, it is better to perform a diligent checkup. Most of the time, you will find differences in the sender’s email address, and, in some cases, typos or mistakes in the message body. Though, in rare cases of business email compromise, it may be hard to say whether the sender is legit or not. For that reason, relying entirely on your attention is not a guarantee.

Use anti-malware software with network monitoring. Here, anti-malware programs will act as both reactive and proactive solutions. Having a netmonitor makes it useful for preventing you from accessing phishing pages. Meanwhile, when malware manages to arrive at your device, it will still be blocked, especially when the program has a well-designed proactive protection system. GridinSoft Anti-Malware is the one you may rely on – consider giving it a try.

GoDaddy Refund Phishing Emails Spread Infostealer

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

View all of Stephanie Adlam's posts.

Leave a comment

Your email address will not be published. Required fields are marked *