A brand new Rust-based info stealer malware known as Fickle Stealer has been noticed being delivered through a number of assault chains with the aim of harvesting delicate info from compromised hosts.
Fortinet FortiGuard Labs mentioned it is conscious of 4 completely different distribution strategies — specifically VBA dropper, VBA downloader, hyperlink downloader, and executable downloader — with a few of them utilizing a PowerShell script to bypass Person Account Management (UAC) and execute Fickle Stealer.
The PowerShell script (“bypass.ps1” or “u.ps1”) can also be designed to periodically ship details about the sufferer, together with nation, metropolis, IP tackle, working system model, pc title, and username to a Telegram bot managed by the attacker.
The stealer payload, which is protected utilizing a packer, runs a sequence of anti-analysis checks to find out if it is working in a sandbox or a digital machine setting, following which it beacons out to a distant server to exfiltrate knowledge within the type of JSON strings.
Fickle Stealer isn’t any completely different from different variants in that it is designed to assemble info from crypto wallets, net browsers powered by Chromium and the Gecko browser engine (i.e, Google Chrome, Microsoft Edge, Courageous, Vivaldi, and Mozilla Firefox), and purposes like AnyDesk, Discord, FileZilla, Sign, Skype, Steam, and Telegram.
It is also designed to export information matching the extensions .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and pockets.dat.
“In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering,” safety researcher Pei Han Liao mentioned. “It also receives a target list from the server, which makes Fickle Stealer more flexible.”
The disclosure comes as Symantec disclosed particulars of an open-source Python stealer known as AZStealer that comes with the performance to steal all kinds of data. Out there on GitHub, it has been marketed because the “best undetected Discord stealer.”
“All stolen information is zipped and depending on the size of the archive exfiltrated directly through Discord webhooks or first uploaded to Gofile online files storage and after that exfiltrated via Discord,” the Broadcom-owned firm mentioned.
“AZStealer will also attempt the theft of document files with predefined targeted extensions or those having specific keywords such as password, wallet, backup, etc. in the filename.”