FickleStealer

Executive Summary

FickleStealer is a Rust-based stealer that targets Windows devices. It is distributed in a variety of ways and steals information, likely with the intent of using the information for follow-on attacks.

Key Takeaways

• FickleStealer is a Rust-based stealer that targets Windows devices.
• FickleStealer is distributed using at least four different methods, including a VBA dropper, a VBA downloader, a link downloader, and an executable downloader. 
• The attack chain uses PowerShell scripts to bypass UAC, escalate privileges, and execute the malware. 
• The stealer can steal a variety of information including that from crypto wallets, web browsers, AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram. 

What is FickleStealer?

FickleStealer is a Rust-based stealer that targets Windows devices. It is distributed in a variety of ways and steals information, likely with the intent of using the information for follow-on attacks. Fortinet discovered the malware in May 2024 and recently reported on FickleStealer. 

FickleStealer is distributed using at least four different attack methods, including a VBA dropper, a VBA downloader, a link downloader, and an executable downloader. 

• The VBA dropper attack chain begins with a Word document containing a macro that loads an XML file and executes an encoded script in that file.The script, in turn, drops and executes FickleStealer. 
• The VBA downloader attack chain leverages Word documents. One downloader downloads the PowerShell script bypass.ps1 directly. A second leverages an executable to evade detections that limit the use of cmd. A third indirectly delivers the VBA downloader using an embedded web browser control in the document.
• The link downloader directly downloads the PowerShell script.
• The executable downloader is a DotNet executable masquerading as a PDF viewer. 

The attack chain uses PowerShell scripts to bypass UAC, escalate privileges, and execute the malware. A PowerShell script also sends information about the victim’s machine to a threat actor controlled Telegram bot.

FickleStealer’s payload is protected by a packer masquerading as a legal executable. It is likely the threat actor developed the packer by replacing a portion of the code in a legal executable with the packer’s code, allowing it to avoid static analysis. The payload runs a series of anti-analysis checks to check for the presence of sandbox and virtual machine environments prior to beaconing to a remote server to exfiltrate data. 

The stealer can steal a variety of data including that from crypto wallets, web browsers, AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram. It is capable of exporting files with the following extensions: .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat. FickleStealer is also flexible in that it can receive a target list from the server. According to Fortinet, FickleStealer appears to still be in active development and is considered a high-severity threat. 

IOCs

PolySwarm has multiple samples associated with this activity.

ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9

8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316

7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86

c6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc

47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973

4602d8f9e2150744e89958d813354696abe6800ee55ef70c48db3134e964a13a

f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66

e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c

bfe2d817e20ecff45cc92b7b8f4e1cd0482b48a769940402eaa5b31cbfb9b908

You can use the following CLI command to search for all FickleStealer samples in our portal:

$ polyswarm link list -f FickleStealer

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.