A nascent facts-stealing malware marketed and dispersed on underground Russian underground community forums has been penned in Rust, signalling a new development wherever menace actors are progressively adopting unique programming languages to bypass safety protections, evade investigation, and hamper reverse engineering endeavours.
Dubbed “Ficker Stealer,” it really is notable for becoming propagated via Trojanized net back links and compromised internet websites, luring in victims to rip-off landing internet pages purportedly offering cost-free downloads of legitimate paid out products and services like Spotify New music, YouTube Quality, and other Microsoft Store apps.
“Ficker is sold and dispersed as Malware-as-a-Assistance (MaaS), by means of underground Russian on the net message boards,” BlackBerry’s analysis and intelligence group said in a report revealed nowadays. “Its creator, whose alias is @ficker, presents a number of paid offers, with diverse ranges of subscription fees to use their malicious application.”
First seen in the wild in August 2020, the Home windows-based malware is utilised to steal sensitive information, which includes login qualifications, credit history card data, cryptocurrency wallets, and browser info, in addition to working as a instrument to seize sensitive documents from the compromised machine, and act as a downloader to download and execute additional next-phase malware.
Furthermore, Ficker is known to be shipped as a result of spam campaigns, which involve sending targeted phishing emails with weaponized macro-based Excel document attachments that, when opened, drops the Hancitor loader, which then injects the last payload employing a method termed system hollowing to stay away from detection and mask its actions.
In the months that adopted since its discovery, the electronic danger has been located leveraging DocuSign-themed lures to install a Home windows binary from an attacker-managed server. CyberArk, in an investigation of the Ficker malware last thirty day period, pointed out its closely obfuscated mother nature and Rust roots, creating the assessment far more tough, if not prohibitive.
“As soon as the faux DocuSign document is opened and its malicious macro code is authorized to run, Hancitor will generally achieve out to its command-and-management (C2) infrastructure to get a malicious URL made up of a sample of Ficker to down load,” BlackBerry scientists said.
Apart from relying on obfuscation approaches, the malware also incorporates other anti-investigation checks that protect against it from managing on virtualized environments and on target devices positioned in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Also worthy of certain notice is that, compared with classic data stealers, Ficker is created to execute the instructions and exfiltrate the facts directly to the operators in its place of creating the stolen details to disk.
“The malware also has display-capturing qualities, which permit the malware’s operator to remotely seize an impression of the victim’s display screen. The malware also permits file-grabbing and further downloading capabilities at the time relationship to its C2 is established,” the scientists claimed. “The moment information is sent back to Ficker’s C2, the malware proprietor can accessibility and look for for all exfiltrated information.”