A new Rust-based malware called Fickle Stealer has emerged, targeting sensitive information through multiple attack vectors. Fortinet FortiGuard Labs reports that Fickle malware is distributed via four main methods: VBA dropper, VBA downloader, link downloader, and executable downloader. Some of these methods utilize a PowerShell script to bypass User Account Control (UAC) and deploy the malware.
The PowerShell script, identified as “bypass.ps1” or “u.ps1,” not only bypasses UAC but also collects and transmits victim information. The script sends data such as the victim’s country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker. This method ensures the attacker remains updated on the status and location of the compromised systems.
As per recent reports, the Fickle malware employs a packer to protect its payload, running several anti-analysis checks to avoid detection in sandbox or virtual machine environments. Once these checks are passed, the malware communicates with a remote server, sending the harvested data as JSON strings. The malware targets information from various sources, including crypto wallets, web browsers like Google Chrome, Microsoft Edge, Brave, Vivaldi, and Mozilla Firefox, and applications such as AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.
Security researcher Pei Han Liao notes that Fickle Stealer not only targets popular applications but also searches for sensitive files in directories commonly used for software installations. The malware can export files with extensions such as .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat. This extensive data gathering ensures that a wide range of valuable information is exfiltrated.
Fickle Stealer’s deployment methods are sophisticated. Attackers download a PowerShell script to set up the malware, sometimes using an additional file to facilitate the download. The primary goal of the script is to bypass UAC and execute the malware. The script also schedules a task to run another script, engine.ps1, after a delay, which uses both legitimate and fake WmiMgmt.msc files to maintain stealth. This technique, known as Mock Trusted Directories, allows the malware to execute with elevated privileges without triggering a UAC prompt.
The PowerShell scripts, including u.ps1, engine.ps1, and inject.ps1, frequently send status updates to the attacker via a Telegram bot. These scripts download and execute tgmes.ps1 with each message, which is stored temporarily and deleted after execution. The information stealing malware continuously sends victim details to the attacker, ensuring they remain informed and can update the attack as needed.
The discovery of the Fickle malware comes alongside revelations about AZStealer, an open-source Python-based information stealer. Available on GitHub, AZStealer has been advertised as a highly effective Discord stealer. It infiltrates stolen information by zipping it and sending it through Discord webhooks or uploading it to Gofile before transmission.
The rust malware exemplifies the growing sophistication of malware, utilizing multiple attack vectors and advanced techniques to harvest sensitive information while evading detection. The continuous updates and flexible target lists make it a persistent threat, emphasizing the need for robust cybersecurity measures and vigilant monitoring to protect against such complex threats.
The sources for this piece include articles in The Hacker News and Security Affairs.
The post Fickle Malware Leads to UAC Bypass and Data Exfiltration appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/fickle-malware-leads-to-uac-bypass-and-data-exfiltration/