New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

Covid-19

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. 

Fortinet FortiGuard Labs said it’s aware of four different distribution methods — namely VBA dropper, VBA downloader, link downloader, and executable downloader — with some of them using a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer. 

The PowerShell script (“bypass.ps1” or “u.ps1”) is also designed to periodically send information about the victim, including country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker. 

The stealer payload, which is protected using a packer, runs a series of anti-analysis checks to determine if it’s running in a sandbox or a virtual machine environment, following which it beacons out to a remote server to exfiltrate data in the form of JSON strings. 

Fickle Stealer is no different from other variants in that it’s designed to gather information from crypto wallets, web browsers powered by Chromium and the Gecko browser engine (i.e, Google Chrome, Microsoft Edge, Brave, Vivaldi, and Mozilla Firefox), and applications like AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram. 

It’s also designed to export files matching the extensions .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat. 

“In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering,” security researcher Pei Han Liao said. “It also receives a target list from the server, which makes Fickle Stealer more flexible.” 

The disclosure comes as Symantec disclosed details of an open-source Python stealer called AZStealer that comes with the functionality to steal a wide variety of information. Available on GitHub, it has been advertised as the “best undetected Discord stealer.” 

“All stolen information is zipped and depending on the size of the archive exfiltrated directly through Discord webhooks or first uploaded to Gofile online files storage and after that exfiltrated via Discord,” the Broadcom-owned company said. 

“AZStealer will also attempt the theft of document files with predefined targeted extensions or those having specific keywords such as password, wallet, backup, etc. in the filename.” 

Found this article interesting? Follow us on LinkedIn to read more blogs!