Fortinet FortiGuard Labs has recently discovered a new Rust-based malware known as Fickle Stealer. This malware is distributed through various attack chains, utilizing innovative techniques to evade detection and target sensitive information.

Description

Fickle Stealer employs different distribution methods, including VBA droppers [1] [2] [3] [4] [5] [6] [7], VBA downloaders [2] [3] [4] [5] [6] [7], link downloaders [2] [3] [4] [5] [6] [7], and executable downloaders [1] [2] [3] [4] [5] [6] [7]. It communicates with a Telegram bot controlled by the attacker and targets crypto wallets, web browsers [2] [4] [5] [7], applications like Discord and Skype [2] [5], and specific file extensions [4] [5]. The malware communicates with its command-and-control (C2) server to receive an encrypted target list [1], continuously evolving to target new applications [1]. Fickle Stealer initiates anti-analysis checks [1] [2] [4] [7], detects debuggers [1], and exfiltrates stolen data in JSON format to the C2 server. It uses techniques like injecting shell code and creating fake files to avoid detection [3]. The malware spreads through various attack methods [2], including VBA dropper [1] [2] [3] [4] [5] [6] [7], VBA downloader [2] [3] [4] [5] [6] [7], link downloader [2] [3] [4] [5] [6] [7], and executable downloader [1] [2] [3] [4] [5] [6] [7]. Attackers download a PowerShell script to bypass User Account Control (UAC) and execute the malware [2] [4] [5] [7], setting up a task to run another script after 15 minutes using the Mock Trusted Directories technique [2]. Fickle Stealer communicates with the attacker’s Telegram bot to report status and victim details [2], targeting crypto wallets [2] [4] [7], plugins [1] [2] [7], file extensions [1] [2] [4] [5], and applications like AnyDesk [2] [5], Discord [2] [5], and web browsers powered by Chromium and the Gecko engine [2]. The malware performs anti-analysis checks and stores stolen data in a specific JSON format [2].

Conclusion

Organizations are advised to enhance their cybersecurity defenses with robust security protocols and advanced threat detection mechanisms to safeguard against this evolving threat posed by Fickle Stealer.

References

[1] https://cybermaterial.com/fickle-stealer-targets-windows-systems/
[2] https://sechub.in/view/2897367
[3] https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain
[4] https://www.toddpigram.com/2024/06/new-rust-based-fickle-malware-uses.html
[5] https://thehackernews.com/2024/06/new-rust-based-fickle-malware-uses.html
[6] https://www.krofeksecurity.com/index.php/2024/06/20/new-rust-based-fickle-malware-uncovering-the-advanced-techniques-for-uac-bypass-and-data-theft/
[7] https://securityaffairs.com/164726/malware/fickle-stealer-attack-methods.html