Fickle Stealer Attacking Windows Machine To Steal Sensitive Data
Hackers often abuse stealers to steal login credentials, financial data, and identity theft data hidden in the infected computer systems.
Stealer attacks are a low-risk and highly lucrative way for threat actors to make money and breach defensive measures in the context of cybercrime.
Cybersecurity researchers at Fortinet recently found that Fickle Stealer has been actively attacking Windows machines to steal sensitive data.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Fickle Stealer Attacking Windows Machine
Rust’s sophistication caused the threat actors to create Fickle Stealer, a high-tech Rust-based malicious program that delivers itself through a VBA dropper, VBA downloader, Link downloader, and Executable downloader.
It innovatively initiates its preparation of PowerShell scripts evading UAC by creating scheduled tasks, injecting code into executables, and communicating via Telegram.
The Packer has its disguise as genuine executable software that later decrypts and executes this sneaky payload, which dodges normal analysis through clever code injection before WinMain function.
Attack flow (Source – Fortinet)
Fickle Stealer begins by creating a mutex and performing anti-analysis checks, such as detecting debuggers, analyzing process names, checking loaded modules, detecting virtual machines, examining hardware IDs, and inspecting usernames.
If passing checks, it gathers system info, creates a folder in Temp, copies itself there, and has that copy communicate with the C2 server.
Fickle Stealer’s execution flow (Source – Fortinet)
The server responds with an RC4-encrypted target list of crypto wallets, plugins, file extensions, and paths.
Fickle Stealer steals matching data, compresses it using Deflate, encodes it in a specific JSON format, and then exfiltrates it to the C2 server, reads the Fortinet report.
Beyond targeting popular apps, Fickle Stealer comprehensively searches for sensitive data in common installation directories and their parent paths.
It receives a flexible target list from its C2 server, enabling frequent updates to that list as development continues on new malware variants.
While it’s strongly recommended to use a robust security solution for better monitoring which will provide proper protection against these evolving threats, the latest Fickle Stealer versions, and the updated attack chains.
IOCs
IP Addresses:
144[.]208[.]127[.]230
185[.]213[.]208[.]245
138[.]124[.]184[.]210
hxxps:// github[.]com/SkorikJR
Files
Delivery:
1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59
ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9
8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f
9ffc6a74b88b66dd269d006dec91b8b53d51afd516fe2326c6f9e3ed81d860ae
48e2b9a7b8027bd03ceb611bbfe48a8a09ec6657dd5f2385fc7a75849bb14db1
6f9f65c2a568ca65326b966bcf8d5b7bfb5d8ddea7c258f58b013bc5e079308b
2236ffcf2856d5c9c2dedf180654cf318596614be450f6b24621dc13d7370dbf
8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316
3ad1c2273ee77845117c0f7f55bf0050b0bcea52851d410520a694252b7bb187
7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86
c6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc
97e5ac8642f413ba4b272d3cb74cba3e890b7a3f7a7935e6ca58944dbb9bfe54
u.ps1:
011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38
5fbd700bd77d3f632ba6ce148281c74a20391a40c7984f108f63a20dc442f8d6
d9dcae235891f206d1baabfcbd79cb80337b5e462adef9516b94efc696b596b7
679e9ba645e17cceeff14be7f5f7dff8582d68eba5712c5928a092e1eec55c84
4d78793719d14f92f5bb9ecc7c2fa9e51c1bf332de26aa7746f35d7e42362db8
d55611fce7fcdd6b49066b194196577ee12bffa98400b724d013fc3a1e254f34
346e18b7ce2e3c3c5412dacdc8034a7566dee12ea0aafc6b82f196dcba2453f8
20e1d7af698e3e2f5092815be1a0415019511da99550fdcc050741f4b47551fa
f71069aed94e4b13d70bd9ee7b2a8fc8580c4339aa9ba9d8baf15abf95d6f673
94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b
24e44d000a61de06b63b532ef237d9f41aa897f4d9f46f8abaf9e654074a65af
a04677fe4ba06b66f698e4969b749174d30477283d97b5eaee16ffeb305d9c0a
7b9e09227b036428a41dd46b6d6e354bb0c3822ce201c1a14d083116916e078d
0494077ac65aa278680002f3b73c61c8896303668c62139a9db5a042923fd0ce
47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973
inject.ps1:
46caee016da4b460f7c242e19a88e8dc7544ded7d2528b0b9e918a7be64b5ceb
b05736874d383ed2e8dcc9d392f2c04e0fd545b8880620499d720c44adb18822
bf8b8f964d1c67aee82ad01528423077ef5e6c65de6d95e446c9343868849350
4602d8f9e2150744e89958d813354696abe6800ee55ef70c48db3134e964a13a
tgmes.ps1:
70363b97f955e5d30fb8d3a8d2a439303f88707420c05f051f87e0458fdfffc2
62ff72aa8a8c5bccdf6c789952ee054a0d0d479e417fa20ea73a936e17bdf043
5f24168581cdaef32e60a62ba7123917bbe65f2f8410d759f345587eb406be40
engine.ps1:
effb85aaef61cd8918d66513da1573365be2743ec263be4029a6b827e3ecc1c6
b57caa40f680d468bbf811e798ef9881d6158fb3462dd9bedb4658d17aed44a5
26fa0ccc5c7b7733ee6ffc2c70edef067b6764387ef1b16cb8005f28c34a3d84
f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66
93db0d88966519e76db4995a3b67ca548e4aa9675806295a790eedf585e0aa2f
9f7591c9d9bc66029e6a341a4fb8828361fc14b1918f9e35506c608359fa1eec
Stealer:
e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
a641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53
9ce52929765433ff8bf905764d7b83c4c3fcbefb4f12eabcf16ee3dddcd3759d
b7bdb0cc90b11c4738c2af218a1a53e4c65b6c91c6067c224164b8fcfc3eed8c
f878a88b7dda1155fe939abe0500e32d5fba34569ca933bccb5603d9e0e96cc0
bfe2d817e20ecff45cc92b7b8f4e1cd0482b48a769940402eaa5b31cbfb9b908
09b47fd0e1fcab827d1a723f9db7e402502ec91e57b7217ed85094abd98bc637
978400108aa16e464b1fbc300bc270bc89193e3c3890d5e9373b3034b592b4da
e394f96ee040508063606343b1ad2158e266dcbd8beb3ba4a23936d1957e5ad6
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Fickle Stealer Attacking Windows Machine To Steal Sensitive Data appeared first on Cyber Security News.