Fickle Stealer Attacking Windows Machine To Steal Sensitive Data

by Esmeralda McKenzie
Fickle Stealer Attacking Windows Machine To Steal Sensitive Data

Fickle Stealer Attacking Windows Machine To Steal Sensitive Data

Fickle Stealer Attacking Windows Machine To Grab Silent Records

Hackers frequently abuse stealers to rob login credentials, financial records, and identity theft records hidden in the contaminated computer methods.

Stealer assaults are a low-risk and extremely lucrative methodology for threat actors to assemble money and breach defensive measures in the context of cybercrime.

EHA

Cybersecurity researchers at Fortinet no longer too prolonged ago chanced on that Fickle Stealer has been actively attacking Windows machines to rob composed records.

Fickle Stealer Attacking Windows Machine

Rust’s sophistication introduced on the threat actors to form Fickle Stealer, a excessive-tech Rust-based entirely malicious program that delivers itself through a VBA dropper, VBA downloader, Hyperlink downloader, and Executable downloader.

It innovatively initiates its preparation of PowerShell scripts evading UAC by increasing scheduled responsibilities, injecting code into executables, and speaking through Telegram.

The Packer has its hide as proper executable device that later decrypts and executes this sneaky payload, which dodges fashioned prognosis through intellectual code injection sooner than WinMain feature.

Attack%20flow%20(Source%20 %20Fortinet)
Assault movement (Source – Fortinet)

Fickle Stealer begins by increasing a mutex and performing anti-prognosis tests, corresponding to detecting debuggers, examining direction of names, checking loaded modules, detecting virtual machines, inspecting hardware IDs, and inspecting usernames.

If passing tests, it gathers device files, creates a folder in Temp, copies itself there, and has that reproduction talk with the C2 server.

Fickle%20Stealer's%20execution%20flow%20(Source%20 %20Fortinet)
Fickle Stealer’s execution movement (Source – Fortinet)

The server responds with an RC4-encrypted scheme checklist of crypto wallets, plugins, file extensions, and paths.

Fickle Stealer steals matching records, compresses it the usage of Deflate, encodes it in a explicit JSON format, and then exfiltrates it to the C2 server, reads the Fortinet file.

Previous focusing on current apps, Fickle Stealer comprehensively searches for composed records in total installation directories and their parent paths.

It receives a flexible scheme checklist from its C2 server, enabling frequent updates to that checklist as style continues on new malware variants.

Whereas it’s strongly suggested to exercise a sturdy security resolution for better monitoring that can presumably presumably present factual protection in opposition to those evolving threats, essentially the most modern Fickle Stealer versions, and the updated assault chains.

IOCs

IP Addresses:

  • 144[.]208[.]127[.]230
  • 185[.]213[.]208[.]245
  • 138[.]124[.]184[.]210
  • hxxps:// github[.]com/SkorikJR

Files

Shipping:

  • 1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59
  • ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9
  • 8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f
  • 9ffc6a74b88b66dd269d006dec91b8b53d51afd516fe2326c6f9e3ed81d860ae
  • 48e2b9a7b8027bd03ceb611bbfe48a8a09ec6657dd5f2385fc7a75849bb14db1
  • 6f9f65c2a568ca65326b966bcf8d5b7bfb5d8ddea7c258f58b013bc5e079308b
  • 2236ffcf2856d5c9c2dedf180654cf318596614be450f6b24621dc13d7370dbf
  • 8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316
  • 3ad1c2273ee77845117c0f7f55bf0050b0bcea52851d410520a694252b7bb187
  • 7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86
  • c6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc
  • 97e5ac8642f413ba4b272d3cb74cba3e890b7a3f7a7935e6ca58944dbb9bfe54

u.ps1:

  • 011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38
  • 5fbd700bd77d3f632ba6ce148281c74a20391a40c7984f108f63a20dc442f8d6
  • d9dcae235891f206d1baabfcbd79cb80337b5e462adef9516b94efc696b596b7
  • 679e9ba645e17cceeff14be7f5f7dff8582d68eba5712c5928a092e1eec55c84
  • 4d78793719d14f92f5bb9ecc7c2fa9e51c1bf332de26aa7746f35d7e42362db8
  • d55611fce7fcdd6b49066b194196577ee12bffa98400b724d013fc3a1e254f34
  • 346e18b7ce2e3c3c5412dacdc8034a7566dee12ea0aafc6b82f196dcba2453f8
  • 20e1d7af698e3e2f5092815be1a0415019511da99550fdcc050741f4b47551fa
  • f71069aed94e4b13d70bd9ee7b2a8fc8580c4339aa9ba9d8baf15abf95d6f673
  • 94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b
  • 24e44d000a61de06b63b532ef237d9f41aa897f4d9f46f8abaf9e654074a65af
  • a04677fe4ba06b66f698e4969b749174d30477283d97b5eaee16ffeb305d9c0a
  • 7b9e09227b036428a41dd46b6d6e354bb0c3822ce201c1a14d083116916e078d
  • 0494077ac65aa278680002f3b73c61c8896303668c62139a9db5a042923fd0ce
  • 47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973

inject.ps1:

  • 46caee016da4b460f7c242e19a88e8dc7544ded7d2528b0b9e918a7be64b5ceb
  • b05736874d383ed2e8dcc9d392f2c04e0fd545b8880620499d720c44adb18822
  • bf8b8f964d1c67aee82ad01528423077ef5e6c65de6d95e446c9343868849350
  • 4602d8f9e2150744e89958d813354696abe6800ee55ef70c48db3134e964a13a

tgmes.ps1:

  • 70363b97f955e5d30fb8d3a8d2a439303f88707420c05f051f87e0458fdfffc2
  • 62ff72aa8a8c5bccdf6c789952ee054a0d0d479e417fa20ea73a936e17bdf043
  • 5f24168581cdaef32e60a62ba7123917bbe65f2f8410d759f345587eb406be40

engine.ps1:

  • effb85aaef61cd8918d66513da1573365be2743ec263be4029a6b827e3ecc1c6
  • b57caa40f680d468bbf811e798ef9881d6158fb3462dd9bedb4658d17aed44a5
  • 26fa0ccc5c7b7733ee6ffc2c70edef067b6764387ef1b16cb8005f28c34a3d84
  • f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66
  • 93db0d88966519e76db4995a3b67ca548e4aa9675806295a790eedf585e0aa2f
  • 9f7591c9d9bc66029e6a341a4fb8828361fc14b1918f9e35506c608359fa1eec

Stealer:

  • e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
  • a641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53
  • 9ce52929765433ff8bf905764d7b83c4c3fcbefb4f12eabcf16ee3dddcd3759d
  • b7bdb0cc90b11c4738c2af218a1a53e4c65b6c91c6067c224164b8fcfc3eed8c
  • f878a88b7dda1155fe939abe0500e32d5fba34569ca933bccb5603d9e0e96cc0
  • bfe2d817e20ecff45cc92b7b8f4e1cd0482b48a769940402eaa5b31cbfb9b908
  • 09b47fd0e1fcab827d1a723f9db7e402502ec91e57b7217ed85094abd98bc637
  • 978400108aa16e464b1fbc300bc270bc89193e3c3890d5e9373b3034b592b4da
  • e394f96ee040508063606343b1ad2158e266dcbd8beb3ba4a23936d1957e5ad6

Source credit : cybersecuritynews.com

Related Posts