Fickle Stealer Strikes Again – A Deep Dive into the Ruthless Rust-Based Malware
Overview
Fickle Stealer, a sophisticated piece of malware written in Rust, has been identified as a significant threat targeting Windows users. Initially observed in May 2024, this malware leverages Rust's performance and safety features, making it challenging for researchers to detect and analyze. Distributed via multiple vectors, including VBA droppers and executable downloaders, Fickle Stealer is designed to extract a wide range of sensitive information from infected systems.
Attack Chain
The Fickle Stealer attack chain is divided into three main stages: Delivery, Preparatory Work, and Packer and Stealer Payload.
1. Delivery
Fickle Stealer uses four primary delivery methods:
- VBA Dropper: Embeds a malicious XML file in a Word document's UserForm object to execute the payload.
- VBA Downloader: Variants that either download PowerShell scripts directly or use additional tactics to avoid detection.
- Link Downloader: Directly downloads and executes a PowerShell script.
- Executable Downloader: A DotNet executable disguised as a PDF viewer.
2. Preparatory Work
The malware employs PowerShell scripts (u.ps1 and bypass.ps1) to bypass User Account Control (UAC) and set up the environment for the stealer. These scripts create tasks to ensure persistent execution and use techniques to execute with elevated privileges without triggering UAC prompts.
3. Packer and Stealer Payload
Protected by a custom packer, Fickle Stealer's payload performs multiple anti-analysis checks, including process name comparison and checking for virtual environments. Once active, it steals a variety of data, such as:
- Browser data (cookies, credentials)
- Cryptocurrency wallets
- System information
- Files with specific extensions
Technical Details
Fickle Stealer’s use of Rust enables complex and reliable code, making it harder to analyze. Key functionalities include:
- Keylogging: Captures keystrokes to gather sensitive information.
- Process Injection: Injects code into legitimate processes to avoid detection.
- Exfiltration: Sends collected data to command and control (C2) servers using encrypted communication.
Indicators of Compromise (IoCs)
IP Addresses:
- 144[.]208[.]127[.]230
- 185[.]213[.]208[.]245
- 138[.]124[.]184[.]210
SHA-256 Hashes:
- 1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59
- ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9
- 8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f
- 9ffc6a74b88b66dd269d006dec91b8b53d51afd516fe2326c6f9e3ed81d860ae
- 48e2b9a7b8027bd03ceb611bbfe48a8a09ec6657dd5f2385fc7a75849bb14db1
- 011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38
- 5fbd700bd77d3f632ba6ce148281c74a20391a40c7984f108f63a20dc442f8d6
- d9dcae235891f206d1baabfcbd79cb80337b5e462adef9516b94efc696b596b7
- 46caee016da4b460f7c242e19a88e8dc7544ded7d2528b0b9e918a7be64b5ceb
- b05736874d383ed2e8dcc9d392f2c04e0fd545b8880620499d720c44adb18822
- 70363b97f955e5d30fb8d3a8d2a439303f88707420c05f051f87e0458fdfffc2
- 62ff72aa8a8c5bccdf6c789952ee054a0d0d479e417fa20ea73a936e17bdf043
- effb85aaef61cd8918d66513da1573365be2743ec263be4029a6b827e3ecc1c6
- b57caa40f680d468bbf811e798ef9881d6158fb3462dd9bedb4658d17aed44a5
- e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
- a641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53
- 9ce52929765433ff8bf905764d7b83c4c3fcbefb4f12eabcf16ee3dddcd3759d
Mitigation and Protection
Fortinet products provide detection and blocking capabilities for Fickle Stealer through their FortiGuard Antivirus services. Additional recommendations include:
- Email Security: Train users to recognize phishing emails and avoid enabling macros from untrusted sources.
- Endpoint Protection: Use endpoint detection and response (EDR) solutions to monitor and mitigate suspicious activities.
- Regular Updates: Ensure all systems and software are updated with the latest security patches.
Sources
- Fickle Stealer Distributed via Multiple Attack Chain (Fortinet)
- New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration (The Hacker News)
- NEW RUST INFOSTEALER FICKLE STEALER SPREADS THROUGH VARIOUS ATTACK METHODS (Security Affairs)
- Fickle Stealer Attacking Windows Machine To Steal Sensitive Data (Cybersecurity News)
Conclusion
Fickle Stealer represents a significant threat due to its advanced delivery mechanisms and robust evasion techniques. Continuous monitoring and employing comprehensive security solutions are crucial for protection against such threats.