Consultants Shed Gentle On New Russian Malware-as-a-Service Written in Rust

Russian Malware

A nascent information-stealing malware bought and distributed on underground Russian underground boards has been written in Rust, signalling a brand new pattern the place menace actors are more and more adopting exotic programming languages to bypass safety protections, evade evaluation, and hamper reverse engineering efforts.

Dubbed “Ficker Stealer,” it is notable for being propagated by way of Trojanized internet hyperlinks and compromised web sites, luring in victims to rip-off touchdown pages purportedly providing free downloads of legitimate paid services like Spotify Music, YouTube Premium, and different Microsoft Retailer functions.

Stack Overflow Teams

“Ficker is bought and distributed as Malware-as-a-Service (MaaS), by way of underground Russian on-line boards,” BlackBerry’s analysis and intelligence workforce stated in a report revealed right this moment. “Its creator, whose alias is @ficker, affords a number of paid packages, with completely different ranges of subscription charges to make use of their trojan horse.”

First seen within the wild in August 2020, the Home windows-based malware is used to steal delicate info, together with login credentials, bank card info, cryptocurrency wallets, and browser info, along with functioning as a instrument to seize delicate information from the compromised machine, and act as a downloader to obtain and execute extra second-stage malware.

Russian Malware

Moreover, Ficker is understood to be delivered by way of spam campaigns, which contain sending focused phishing emails with weaponized macro-based Excel doc attachments that, when opened, drops the Hancitor loader, which then injects the ultimate payload utilizing a way referred to as process hollowing to keep away from detection and masks its actions.

malware as a service

Within the months that adopted since its discovery, the digital menace has been discovered leveraging DocuSign-themed lures to put in a Windows binary from an attacker-controlled server. CyberArk, in an analysis of the Ficker malware final month, famous its closely obfuscated nature and Rust roots, making the evaluation harder, if not prohibitive.

Enterprise Password Management

“As soon as the pretend DocuSign doc is opened and its malicious macro code is allowed to run, Hancitor will typically attain out to its command-and-control (C2) infrastructure to obtain a malicious URL containing a pattern of Ficker to obtain,” BlackBerry researchers said.

Except for counting on obfuscation strategies, the malware additionally incorporates different anti-analysis checks that forestall it from working on virtualized environments and on sufferer machines situated in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Additionally worthy of specific notice is that, not like conventional info stealers, Ficker is designed to execute the instructions and exfiltrate the knowledge on to the operators as a substitute of writing the stolen information to disk.

“The malware additionally has screen-capturing skills, which permit the malware’s operator to remotely seize a picture of the sufferer’s display. The malware additionally allows file-grabbing and extra downloading capabilities as soon as connection to its C2 is established,” the researchers stated. “As soon as info is distributed again to Ficker’s C2, the malware proprietor can entry and seek for all exfiltrated information.”

Source link