A nascent information-stealing malware offered and distributed on underground Russian underground boards has been written in Rust, signalling a brand new pattern the place risk actors are more and more adopting exotic programming languages to bypass safety protections, evade evaluation, and hamper reverse engineering efforts.
Dubbed “Ficker Stealer,” it is notable for being propagated by way of Trojanized net hyperlinks and compromised web sites, luring in victims to rip-off touchdown pages purportedly providing free downloads of legitimate paid services like Spotify Music, YouTube Premium, and different Microsoft Retailer purposes.
“Ficker is offered and distributed as Malware-as-a-Service (MaaS), by way of underground Russian on-line boards,” BlackBerry’s analysis and intelligence crew mentioned in a report printed right this moment. “Its creator, whose alias is @ficker, provides a number of paid packages, with totally different ranges of subscription charges to make use of their trojan horse.”
First seen within the wild in August 2020, the Home windows-based malware is used to steal delicate data, together with login credentials, bank card data, cryptocurrency wallets, and browser data, along with functioning as a instrument to seize delicate information from the compromised machine, and act as a downloader to obtain and execute extra second-stage malware.
Moreover, Ficker is understood to be delivered by spam campaigns, which contain sending focused phishing emails with weaponized macro-based Excel doc attachments that, when opened, drops the Hancitor loader, which then injects the ultimate payload utilizing a method referred to as process hollowing to keep away from detection and masks its actions.
Within the months that adopted since its discovery, the digital risk has been discovered leveraging DocuSign-themed lures to put in a Windows binary from an attacker-controlled server. CyberArk, in an analysis of the Ficker malware final month, famous its closely obfuscated nature and Rust roots, making the evaluation tougher, if not prohibitive.
“As soon as the pretend DocuSign doc is opened and its malicious macro code is allowed to run, Hancitor will typically attain out to its command-and-control (C2) infrastructure to obtain a malicious URL containing a pattern of Ficker to obtain,” BlackBerry researchers said.
Other than counting on obfuscation strategies, the malware additionally incorporates different anti-analysis checks that stop it from working on virtualized environments and on sufferer machines positioned in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Additionally worthy of explicit be aware is that, in contrast to conventional data stealers, Ficker is designed to execute the instructions and exfiltrate the knowledge on to the operators as an alternative of writing the stolen information to disk.
“The malware additionally has screen-capturing talents, which permit the malware’s operator to remotely seize a picture of the sufferer’s display. The malware additionally allows file-grabbing and extra downloading capabilities as soon as connection to its C2 is established,” the researchers mentioned. “As soon as data is distributed again to Ficker’s C2, the malware proprietor can entry and seek for all exfiltrated information.”