A nascent information-stealing malware bought and distributed on underground Russian underground boards has been written in Rust, signalling a brand new development the place risk actors are more and more adopting exotic programming languages to bypass safety protections, evade evaluation, and hamper reverse engineering efforts.
Dubbed “Ficker Stealer,” it is notable for being propagated by way of Trojanized internet hyperlinks and compromised web sites, luring in victims to rip-off touchdown pages purportedly providing free downloads of legitimate paid services like Spotify Music, YouTube Premium, and different Microsoft Retailer functions.
“Ficker is bought and distributed as Malware-as-a-Service (MaaS), by way of underground Russian on-line boards,” BlackBerry’s analysis and intelligence group mentioned in a report printed right this moment. “Its creator, whose alias is @ficker, gives a number of paid packages, with totally different ranges of subscription charges to make use of their computer virus.”
First seen within the wild in August 2020, the Home windows-based malware is used to steal delicate info, together with login credentials, bank card info, cryptocurrency wallets, and browser info, along with functioning as a software to seize delicate information from the compromised machine, and act as a downloader to obtain and execute extra second-stage malware.
Moreover, Ficker is understood to be delivered by means of spam campaigns, which contain sending focused phishing emails with weaponized macro-based Excel doc attachments that, when opened, drops the Hancitor loader, which then injects the ultimate payload utilizing a way referred to as process hollowing to keep away from detection and masks its actions.
Within the months that adopted since its discovery, the digital risk has been discovered leveraging DocuSign-themed lures to put in a Windows binary from an attacker-controlled server. CyberArk, in an analysis of the Ficker malware final month, famous its closely obfuscated nature and Rust roots, making the evaluation tougher, if not prohibitive.
“As soon as the faux DocuSign doc is opened and its malicious macro code is allowed to run, Hancitor will typically attain out to its command-and-control (C2) infrastructure to obtain a malicious URL containing a pattern of Ficker to obtain,” BlackBerry researchers said.
Other than counting on obfuscation methods, the malware additionally incorporates different anti-analysis checks that stop it from working on virtualized environments and on sufferer machines situated in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Additionally worthy of specific word is that, in contrast to conventional info stealers, Ficker is designed to execute the instructions and exfiltrate the data on to the operators as an alternative of writing the stolen knowledge to disk.
“The malware additionally has screen-capturing skills, which permit the malware’s operator to remotely seize a picture of the sufferer’s display screen. The malware additionally permits file-grabbing and extra downloading capabilities as soon as connection to its C2 is established,” the researchers mentioned. “As soon as info is shipped again to Ficker’s C2, the malware proprietor can entry and seek for all exfiltrated knowledge.”