Fickle Stealer Attacking Windows Machine To Steal Sensitive Data


Hackers often abuse stealers to steal login credentials, financial data, and identity theft data hidden in the infected computer systems.

Stealer attacks are a low-risk and highly lucrative way for threat actors to make money and breach defensive measures in the context of cybercrime.

Cybersecurity researchers at Fortinet recently found that Fickle Stealer has been actively attacking Windows machines to steal sensitive data.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Fickle Stealer Attacking Windows Machine

Rust’s sophistication caused the threat actors to create Fickle Stealer, a high-tech Rust-based malicious program that delivers itself through a VBA dropper, VBA downloader, Link downloader, and Executable downloader.

It innovatively initiates its preparation of PowerShell scripts evading UAC by creating scheduled tasks, injecting code into executables, and communicating via Telegram.

The Packer has its disguise as genuine executable software that later decrypts and executes this sneaky payload, which dodges normal analysis through clever code injection before WinMain function.

Fickle Stealer Attacking Windows Machine To Steal Sensitive Data
Attack flow (Source – Fortinet)

Fickle Stealer begins by creating a mutex and performing anti-analysis checks, such as detecting debuggers, analyzing process names, checking loaded modules, detecting virtual machines, examining hardware IDs, and inspecting usernames. 

If passing checks, it gathers system info, creates a folder in Temp, copies itself there, and has that copy communicate with the C2 server. 

Fickle Stealer Attacking Windows Machine To Steal Sensitive Data
Fickle Stealer’s execution flow (Source – Fortinet)

The server responds with an RC4-encrypted target list of crypto wallets, plugins, file extensions, and paths. 

Fickle Stealer steals matching data, compresses it using Deflate, encodes it in a specific JSON format, and then exfiltrates it to the C2 server, reads the Fortinet report.

Beyond targeting popular apps, Fickle Stealer comprehensively searches for sensitive data in common installation directories and their parent paths. 

It receives a flexible target list from its C2 server, enabling frequent updates to that list as development continues on new malware variants. 

While it’s strongly recommended to use a robust security solution for better monitoring which will provide proper protection against these evolving threats, the latest Fickle Stealer versions, and the updated attack chains.

IOCs

IP Addresses:

  • 144[.]208[.]127[.]230
  • 185[.]213[.]208[.]245
  • 138[.]124[.]184[.]210
  • hxxps:// github[.]com/SkorikJR

Files

Delivery:

  • 1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59
  • ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9
  • 8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f
  • 9ffc6a74b88b66dd269d006dec91b8b53d51afd516fe2326c6f9e3ed81d860ae
  • 48e2b9a7b8027bd03ceb611bbfe48a8a09ec6657dd5f2385fc7a75849bb14db1
  • 6f9f65c2a568ca65326b966bcf8d5b7bfb5d8ddea7c258f58b013bc5e079308b
  • 2236ffcf2856d5c9c2dedf180654cf318596614be450f6b24621dc13d7370dbf
  • 8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316
  • 3ad1c2273ee77845117c0f7f55bf0050b0bcea52851d410520a694252b7bb187
  • 7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86
  • c6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc
  • 97e5ac8642f413ba4b272d3cb74cba3e890b7a3f7a7935e6ca58944dbb9bfe54

u.ps1:

  • 011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38
  • 5fbd700bd77d3f632ba6ce148281c74a20391a40c7984f108f63a20dc442f8d6
  • d9dcae235891f206d1baabfcbd79cb80337b5e462adef9516b94efc696b596b7
  • 679e9ba645e17cceeff14be7f5f7dff8582d68eba5712c5928a092e1eec55c84
  • 4d78793719d14f92f5bb9ecc7c2fa9e51c1bf332de26aa7746f35d7e42362db8
  • d55611fce7fcdd6b49066b194196577ee12bffa98400b724d013fc3a1e254f34
  • 346e18b7ce2e3c3c5412dacdc8034a7566dee12ea0aafc6b82f196dcba2453f8
  • 20e1d7af698e3e2f5092815be1a0415019511da99550fdcc050741f4b47551fa
  • f71069aed94e4b13d70bd9ee7b2a8fc8580c4339aa9ba9d8baf15abf95d6f673
  • 94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b
  • 24e44d000a61de06b63b532ef237d9f41aa897f4d9f46f8abaf9e654074a65af
  • a04677fe4ba06b66f698e4969b749174d30477283d97b5eaee16ffeb305d9c0a
  • 7b9e09227b036428a41dd46b6d6e354bb0c3822ce201c1a14d083116916e078d
  • 0494077ac65aa278680002f3b73c61c8896303668c62139a9db5a042923fd0ce
  • 47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973

inject.ps1:

  • 46caee016da4b460f7c242e19a88e8dc7544ded7d2528b0b9e918a7be64b5ceb
  • b05736874d383ed2e8dcc9d392f2c04e0fd545b8880620499d720c44adb18822
  • bf8b8f964d1c67aee82ad01528423077ef5e6c65de6d95e446c9343868849350
  • 4602d8f9e2150744e89958d813354696abe6800ee55ef70c48db3134e964a13a

tgmes.ps1:

  • 70363b97f955e5d30fb8d3a8d2a439303f88707420c05f051f87e0458fdfffc2
  • 62ff72aa8a8c5bccdf6c789952ee054a0d0d479e417fa20ea73a936e17bdf043
  • 5f24168581cdaef32e60a62ba7123917bbe65f2f8410d759f345587eb406be40

engine.ps1:

  • effb85aaef61cd8918d66513da1573365be2743ec263be4029a6b827e3ecc1c6
  • b57caa40f680d468bbf811e798ef9881d6158fb3462dd9bedb4658d17aed44a5
  • 26fa0ccc5c7b7733ee6ffc2c70edef067b6764387ef1b16cb8005f28c34a3d84
  • f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66
  • 93db0d88966519e76db4995a3b67ca548e4aa9675806295a790eedf585e0aa2f
  • 9f7591c9d9bc66029e6a341a4fb8828361fc14b1918f9e35506c608359fa1eec

Stealer:

  • e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
  • a641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53
  • 9ce52929765433ff8bf905764d7b83c4c3fcbefb4f12eabcf16ee3dddcd3759d
  • b7bdb0cc90b11c4738c2af218a1a53e4c65b6c91c6067c224164b8fcfc3eed8c
  • f878a88b7dda1155fe939abe0500e32d5fba34569ca933bccb5603d9e0e96cc0
  • bfe2d817e20ecff45cc92b7b8f4e1cd0482b48a769940402eaa5b31cbfb9b908
  • 09b47fd0e1fcab827d1a723f9db7e402502ec91e57b7217ed85094abd98bc637
  • 978400108aa16e464b1fbc300bc270bc89193e3c3890d5e9373b3034b592b4da
  • e394f96ee040508063606343b1ad2158e266dcbd8beb3ba4a23936d1957e5ad6

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free



Source link