Home Security New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

by


Jun 20, 2024NewsroomThreat Intelligence / Cybercrime

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts.

Fortinet FortiGuard Labs said it’s aware of four different distribution methods — namely VBA dropper, VBA downloader, link downloader, and executable downloader — with some of them using a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer.

The PowerShell script (“bypass.ps1” or “u.ps1”) is also designed to periodically send information about the victim, including country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker.

Cybersecurity

The stealer payload, which is protected using a packer, runs a series of anti-analysis checks to determine if it’s running in a sandbox or a virtual machine environment, following which it beacons out to a remote server to exfiltrate data in the form of JSON strings.

Fickle Stealer is no different from other variants in that it’s designed to gather information from crypto wallets, web browsers powered by Chromium and the Gecko browser engine (i.e, Google Chrome, Microsoft Edge, Brave, Vivaldi, and Mozilla Firefox), and applications like AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.

It’s also designed to export files matching the extensions .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat.

UAC Bypass and Data Exfiltration

“In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering,” security researcher Pei Han Liao said. “It also receives a target list from the server, which makes Fickle Stealer more flexible.”

The disclosure comes as Symantec disclosed details of an open-source Python stealer called AZStealer that comes with the functionality to steal a wide variety of information. Available on GitHub, it has been advertised as the “best undetected Discord stealer.”

Cybersecurity

“All stolen information is zipped and depending on the size of the archive exfiltrated directly through Discord webhooks or first uploaded to Gofile online files storage and after that exfiltrated via Discord,” the Broadcom-owned company said.

“AZStealer will also attempt the theft of document files with predefined targeted extensions or those having specific keywords such as password, wallet, backup, etc. in the filename.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex