New information-stealing malware is sold on underground hacker forums in Russia and is written in Rust, which indicates that threat actors are adopting more exotic programming languages to evade security protections.
Ficker Stealer is a Windows-based malware that steals sensitive information from victims. Its operators distribute it via phishing emails, Trojanized web links, and compromised websites which trick the victims into downloading free software, such as Spotify Music, YouTube Premium, and various Microsoft Store applications.
“Ficker is sold and distributed as Malware-as-a-Service (MaaS), via underground Russian online forums,” BlackBerry’s research and intelligence team said in a report published today. “Its creator, whose alias is @ficker, offers several paid packages, with different levels of subscription fees to use their malicious program.”
The malware was first observed in the wild in August 2020 stealing such sensitive information as login credentials, credit card details, cryptocurrency wallets, and browser information.
Ficker Stealer can also grab sensitive files from a compromised machine and download and execute other second-stage malware.
Ficker is often delivered through malspam campaigns via phishing emails that contain weaponized Excel documents. Once opened, the Excel document then drops the Hancitor loader. It then injects the final payload, which is a technique known as process hollowing, to avoid detection.
The threat actors were observed using DocuSign-themed lures that installed a fake Windows binary from the attacker’s server.
CyberArk noted last month that the Ficker malware’s obfuscated nature and being written in Rust make it particularly hard, sometimes impossible to analyze.
“Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will often reach out to its command-and-control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download,” BlackBerry researchers said.
Aside from infiltrating targeted systems, the malware also carries out other anti-analysis checks to prevent it from running on virtual environments and victim machines located in Russia, Belarus, Armenia, Azerbaijan, Kazakhstan, and Uzbekistan.
Unlike other stealers, Ficker is an advanced information theft tool that can execute commands and exfiltrate data to attackers, not only write it to disk. It also has screen-capturing cabilities:
“The malware also has screen-capturing abilities, which allow the malware’s operator to remotely capture an image of the victim’s screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established,” the researchers said. “Once information is sent back to Ficker’s C2, the malware owner can access and search for all exfiltrated data.”