Fortinet’s FortiGuard Labs found a Rust-based stealer in May 2024 and named it the Fickle Stealer as a consequence of its intricate code and versatile goal choice. FortiGuard’s analysis shared completely with Hackread.com reveals that this malware makes use of a various “attack chain” to infiltrate Microsoft Windows-based methods and steal delicate knowledge.

This “High” severity malware demonstrates a worrisome versatility by using a multi-pronged strategy to breach a system’s defences. It arrives disguised as a reliable utility or doc, permitting customers to obtain it unknowingly. The malware exploits present vulnerabilities in software program to realize a foothold, bypassing most safety measures.

Fickle Stealer may be delivered by means of 4 strategies: VBA dropper, VBA downloader, hyperlink downloader, and executable downloader. These strategies sometimes obtain a PowerShell script for preparatory work (titled u.ps1 or bypass.ps1). 

The VBA dropper assault begins with a Word doc, the place a macro hundreds an XML file and executes a script. VBA downloaders embrace direct obtain, forfiles.exe, runOnce.bat, hyperlink downloader, and executable downloader. The first downloader downloads u.ps1, the second makes use of forfiles.exe to bypass cmd utilization detections, and the third makes use of an internet browser management to extract the command. 

A packer disguised as a authorized executable hides the malicious code, executing it earlier than the WinMain operate, making it troublesome to detect. The packer allocates reminiscence for decrypted payload knowledge and performs anti-analysis checks earlier than exiting if a beneficial surroundings is unavailable. It typically shows a pretend error message earlier than terminating.

Fickle Stealer searches delicate recordsdata in widespread set up directories for complete knowledge gathering. “There are four kinds of targets: crypto wallets, plugins, file extensions, and partial paths,” wrote Fortinet’s Pei Han Liao in a weblog publish shared with Hackread.com forward of publishing on Wednesday, June 19, 2024.

The stolen knowledge consists of system {hardware} info, login particulars, monetary particulars from AtomicWallet, Exodus, Electrum, ByteCoin, Ethereum, ZCash and different wallets, a variety of recordsdata and plugins knowledge, Chromium and Gecko engine browser knowledge, and functions, together with Anydesk, Ubisoft, Discord, Steam, Skype, Signal, ICQ, Filezilla, Telegram, Tox, Pidgin, and Element. 

It sends sufferer info to the server, which sends an inventory of goal functions and key phrases, and supplies a goal listing, making Fickle Stealer extra versatile. The steadily up to date assault chain signifies that the stealer remains to be in improvement.

It is necessary to implement correct safety options to fight Fickle Stealer, together with repeatedly monitoring methods to detect threats, guaranteeing common software program updates, your Windows system has the most recent model and never downloading pirated software program.

1. Hackers Target Check Point VPNs
2. Ukraine Hit by Cobalt Strike Using Malicious Excel Files
3. Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla
4. Konni RAT Exploiting Word Docs to Steal Data from Windows
5. Hackers Use Word paperwork to drop NetSupport Manager RAT