Fickle Stealer | |
Type of Malware | Infostealer |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Targeted Countries | Global |
Motivation | Data Theft |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Type of information Stolen | Login Credentials |
Overview
In the rapidly evolving landscape of cyber threats, Fickle Stealer has emerged as a sophisticated and formidable malware strain that capitalizes on modern programming techniques and intricate attack vectors. Discovered by FortiGuard Labs in May 2024, this Rust-based stealer is notable for its complex code structure and versatile distribution methods. Fickle Stealer’s design reflects a broader trend in cybercrime where attackers leverage advanced technologies to enhance their payload’s effectiveness and evade detection.
The Fickle Stealer malware operates through a multi-stage attack chain, making its detection and mitigation particularly challenging. Its distribution relies on a variety of techniques, including VBA droppers and downloaders, which exploit vulnerabilities in Microsoft Windows platforms. Once delivered, Fickle Stealer employs a series of preparatory actions to establish persistence and bypass security measures, such as User Account Control (UAC). This allows it to execute its primary function: stealing sensitive information from compromised systems.
A distinguishing feature of Fickle Stealer is its use of a custom packer to obfuscate its malicious code, disguising it as legitimate executable files. This approach complicates static analysis and hinders traditional detection methods. Furthermore, the malware’s payload is designed to be stealthy, using anti-analysis techniques to evade sandbox environments and debugging tools. By creating a series of deceptive error messages and checking for signs of analysis, Fickle Stealer effectively avoids detection while harvesting valuable data from infected machines.
Targets
Individuals
Information
How they operate
At its core, Fickle Stealer’s attack begins with an initial access phase that often relies on phishing tactics or the exploitation of vulnerabilities in public-facing applications. Phishing campaigns, typically delivered via deceptive emails or malicious links, trick users into downloading and executing the malware. In some cases, attackers might exploit known vulnerabilities to gain unauthorized access to systems, facilitating the malware’s deployment. Once executed, Fickle Stealer uses methods like PowerShell or user execution to run its code and establish a foothold within the compromised environment.
Persistence is a crucial aspect of Fickle Stealer’s operation. The malware employs various techniques to maintain its presence on infected systems. For example, it may modify registry keys or create scheduled tasks to ensure its continued execution even after a system reboot. Additionally, Fickle Stealer may use user account control (UAC) bypass methods to elevate its privileges and avoid detection. These persistence mechanisms are designed to keep the malware operational and resilient against removal efforts.
In terms of defense evasion, Fickle Stealer incorporates several advanced strategies. The malware obfuscates its files and information to avoid detection by security software, employing anti-debugging and anti-virtual machine techniques to hinder analysis. This ensures that security professionals face significant challenges when attempting to dissect the malware’s behavior. Credential access is another critical phase, where Fickle Stealer attempts to capture and exfiltrate sensitive information such as usernames, passwords, and other authentication tokens.
The exfiltration process involves staging and transmitting collected data back to the attackers. Fickle Stealer may use encrypted communication channels to protect the data in transit, reducing the risk of interception by network monitoring tools. Additionally, the malware may employ domain generation algorithms (DGA) to obscure its command and control (C2) infrastructure, making it difficult for defenders to track and block malicious communications.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566)
Exploit Public-Facing Application (T1190)
Execution:
User Execution (T1204)
PowerShell (T1059.001)
Persistence:
Registry Run Keys / Startup Folder (T1547.001)
Scheduled Task (T1053)
Privilege Escalation:
User Account Control (UAC) Bypass (T1088)
Defense Evasion:
Obfuscated Files or Information (T1027)
Anti-Debugging (T1620)
Anti-VM (T1497)
Credential Access:
Credential Dumping (T1003)
Input Capture (T1056)
Exfiltration:
Data Staged (T1074)
Exfiltration Over C2 Channel (T1041)
Command and Control:
Encrypted Channel (T1573)
Domain Generation Algorithms (DGA) (T1483)
