Fickle Stealer: High-Tech Rust-Based Malware Targets Crypto Wallets

Apps & Games / Desktop / Windows / Fickle Stealer: High-Tech Rust-Based Malware Targets Crypto Wallets
20 Jun 2024

Rust’s sophistication has led threat actors to create Fickle Stealer, a high-tech Rust-based malicious program that delivers itself through a VBA dropper, VBA downloader, Link downloader, and Executable downloader. This innovative malware initiates its preparation of PowerShell scripts by evading UAC through the creation of scheduled tasks, injecting code into executables, and communicating via Telegram. The Packer disguises itself as genuine executable software that later decrypts and executes this sneaky payload, cleverly dodging normal analysis through code injection before the WinMain function.

Attack Flow

Fickle Stealer begins by creating a mutex and performing anti-analysis checks, such as detecting debuggers, analyzing process names, checking loaded modules, detecting virtual machines, examining hardware IDs, and inspecting usernames. If it passes these checks, it gathers system information, creates a folder in the Temp directory, copies itself there, and has that copy communicate with the C2 server.

Execution Flow

The server responds with an RC4-encrypted target list of crypto wallets, plugins, file extensions, and paths. Fickle Stealer then steals matching data, compresses it using Deflate, encodes it in a specific JSON format, and exfiltrates it to the C2 server. According to the Fortinet report, beyond targeting popular apps, Fickle Stealer comprehensively searches for sensitive data in common installation directories and their parent paths. It receives a flexible target list from its C2 server, enabling frequent updates to that list as development continues on new malware variants.

While it’s strongly recommended to use a robust security solution for better monitoring and protection against these evolving threats, the latest Fickle Stealer versions and updated attack chains continue to pose significant risks.

Indicators of Compromise (IOCs)

IP Addresses:

  • 144[.]208[.]127[.]230
  • 185[.]213[.]208[.]245
  • 138[.]124[.]184[.]210
  • hxxps:// github[.]com/SkorikJR

Files:

  • 1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59
  • ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9
  • 8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f
  • 9ffc6a74b88b66dd269d006dec91b8b53d51afd516fe2326c6f9e3ed81d860ae
  • 48e2b9a7b8027bd03ceb611bbfe48a8a09ec6657dd5f2385fc7a75849bb14db1
  • 6f9f65c2a568ca65326b966bcf8d5b7bfb5d8ddea7c258f58b013bc5e079308b
  • 2236ffcf2856d5c9c2dedf180654cf318596614be450f6b24621dc13d7370dbf
  • 8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316
  • 3ad1c2273ee77845117c0f7f55bf0050b0bcea52851d410520a694252b7bb187
  • 7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86
  • c6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc
  • 97e5ac8642f413ba4b272d3cb74cba3e890b7a3f7a7935e6ca58944dbb9bfe54

u.ps1:

  • 011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38
  • 5fbd700bd77d3f632ba6ce148281c74a20391a40c7984f108f63a20dc442f8d6
  • d9dcae235891f206d1baabfcbd79cb80337b5e462adef9516b94efc696b596b7
  • 679e9ba645e17cceeff14be7f5f7dff8582d68eba5712c5928a092e1eec55c84
  • 4d78793719d14f92f5bb9ecc7c2fa9e51c1bf332de26aa7746f35d7e42362db8
Update: 20 Jun 2024