A nascent information-stealing malware bought and distributed on underground Russian underground boards has been written in Rust, signalling a brand new pattern the place menace actors are more and more adoptingto bypass safety protections, evade evaluation, and hamper reverse engineering efforts.
Dubbed “,” it is notable for being propagated by way of Trojanized internet hyperlinks and compromised web sites, luring in victims to rip-off touchdown pages purportedly providing free downloads of like Spotify Music, YouTube Premium, and different Microsoft Retailer functions.
“Ficker is bought and distributed as Malware-as-a-Service (MaaS), by way of underground Russian on-line boards,” BlackBerry’s analysis and intelligence workforce stated in a report revealed right this moment. “Its creator, whose alias is @ficker, affords a number of paid packages, with completely different ranges of subscription charges to make use of their trojan horse.”
First seen within the wild in August 2020, the Home windows-based malware is used to steal delicate info, together with login credentials, bank card info, cryptocurrency wallets, and browser info, along with functioning as a instrument to seize delicate information from the compromised machine, and act as a downloader to obtain and execute extra second-stage malware.
Moreover, Ficker is understood to be delivered by way of spam campaigns, which contain sending focused phishing emails with weaponized macro-based Excel doc attachments that, when opened, drops theloader, which then injects the ultimate payload utilizing a way referred to as to keep away from detection and masks its actions.
Within the months that adopted since its discovery, the digital menace has been discovered leveraging DocuSign-themed lures to put in afrom an attacker-controlled server. CyberArk, in an of the Ficker malware final month, famous its closely obfuscated nature and Rust roots, making the evaluation harder, if not prohibitive.
“As soon as the pretend DocuSign doc is opened and its malicious macro code is allowed to run, Hancitor will typically attain out to its command-and-control (C2) infrastructure to obtain a malicious URL containing a pattern of Ficker to obtain,” BlackBerry.
Except for counting on obfuscation strategies, the malware additionally incorporates different anti-analysis checks that forestall it from working on virtualized environments and on sufferer machines situated in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Additionally worthy of specific notice is that, not like conventional info stealers, Ficker is designed to execute the instructions and exfiltrate the knowledge on to the operators as a substitute of writing the stolen information to disk.
“The malware additionally has screen-capturing skills, which permit the malware’s operator to remotely seize a picture of the sufferer’s display. The malware additionally allows file-grabbing and extra downloading capabilities as soon as connection to its C2 is established,” the researchers stated. “As soon as info is distributed again to Ficker’s C2, the malware proprietor can entry and seek for all exfiltrated information.”