ESET warns of attackers running ads for websites that mimic Microsoft Store, Spotify, and an online document converter but instead distribute information-stealing Trojans. The malware attempts to steal credit cards and passwords that the victims have stored in web browsers, chat apps, and more.
ESET issued a warning yesterday on Twitter advising to watch out for advertisements that promote what appears to be legitimate apps.
“Beware of active infostealer campaign mimicking Microsoft Windows Store, Spotify and FreePdfConvert apps targeting countries in South America 🇵🇪🇨🇴🇦🇷,” the tweet said.
In one of the advertisements, cybercriminals promote an online Chess application. When users click the ad, they are taken to a fake Microsoft Store page. A fake xChess 3 online chess app is automatically downloaded on the victim’s computer from an Amazon AWS server.
The downloaded zip file has the name ‘xChess_v.709.zip’ containing the ‘Ficker’ (or ‘FickerStealer’) which is information-stealing malware, as shown by this report from BleepingComputer.
Researchers also found other advertisements spreading a fake version of Spotify and an online document converter. Their landing pages, too, will automatically start downloading a zip file with Ficker.
Once the victim unpacks the archive and launches the executable file, the Ficker malware runs and begins its information-stealing activities.
Ficker first appeared on Russian-speaking hacker forums in January this year. Its authors rented it out to other hackers from one week up to six months. The author claims Ficker has the capabilities to steal saved credentials in web browsers, desktop messaging apps like Pidgin, Steam, and Discord, and FTP clients. Besides stealing passwords, if we were to believe its authors, Ficker can steal over fifteen cryptocurrency wallets, documents, and take screenshots of the active applications. This data is exfiltrated to the attacker in a zip file.