An emerging information-stealing malware, sold and distributed on underground Russian underground forums has been written in Rust, is signaling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts. Rust is a multi-paradigm, high-level, general-purpose programming language designed for performance and safety, especially safe concurrency. Rust is syntactically similar to C++ but can guarantee ‘memory safety’ by using a borrow checker to validate references. Rust achieves memory safety without garbage collection, and reference counting is optional.
The malware is named "Ficker Stealer" and is notable for being propagated via Trojanized web links and compromised websites, luring in victims to scam landing pages purportedly offering free downloads of legitimate paid services like Spotify Music, YouTube Premium, and other Microsoft Store applications. "Ficker is sold and distributed as Malware-as-a-Service (MaaS), via underground Russian online forums," BlackBerry's research and intelligence team said in a report published today. "Its creator, whose alias is @ficker, offers several paid packages, with different levels of subscription fees to use their malicious program."
First seen in August 2020, the Windows-based malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets, and browser information. In addition to functioning as a tool to grab sensitive files from the compromised machine, it acts as a downloader to download and execute additional second-stage malware.
Ficker is also known to be delivered through spamming campaigns, which involve sending targeted phishing emails with weaponized macro-based Excel document attachments. When opened, it drops the Hancitor trojan loader, which then injects the final payload using a technique called process hollowing to avoid detection and mask its activities.
The Hancitor trojan, also known as Chanitor, is a downloader first observed in 2014. It distributes its payload via a Word document email attachment with embedded malicious macros. The most recent version of Hancitor contains the encoded shellcode within the macro and uses native API calls within Visual Basic (VB) code to pass execution and carves out and decrypts the embedded malware in the attachment. Once executed, Hancitor drops an additional payload to download the Pony DLL and Vawtrak malware executables, which steal data and connects to a C2 server. In January 2017, SANS Internet Storm Center researchers identified a recent increase in Hancitor activity. The campaign sends phishing emails claiming to be a parking ticket notification. Very sneaky. The message requests the recipient to click the link to pay their ticket and directs the victim to a Microsoft Word document containing a malicious VB macro to install Hancitor.
In the months that followed since its discovery, the digital threat has been found leveraging DocuSign-themed lures to install a Windows binary from an attacker-controlled server. CyberArk, in an analysis of the Ficker malware last month, noted its heavily obfuscated nature and Rust roots, making the analysis more difficult, if not prohibitive. "Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will often reach out to its command-and-control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download," BlackBerry researchers said.
Aside from relying on obfuscation techniques, the malware also incorporates other anti-analysis checks that prevent it from running on virtualized environments and on victim machines located in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Unlike traditional information stealers, Ficker is designed to execute the commands and exfiltrate the information directly to the operators instead of writing the stolen data to disk. "The malware also has screen-capturing abilities, which allow the malware's operator to remotely capture an image of the victim's screen. The malware also enables file-grabbing and additional downloading capabilities once the connection to its C2 is established," the researchers said. "Once information is sent back to Ficker's C2, the malware owner can access and search for all exfiltrated data."
At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis. Malware such as Ficker steals valuable information and then sells this information in underground cyber forums. Our analysts are currently monitoring and collecting on 65+ dark web forums, 20 ransomware forums, 49 forums, and marketplaces: of which 25 are forums [info only] and 24 are marketplaces [stolen data]. We can help identify personal and company information being sold on the Dark Web and help protect all levels of a company to avoid any network disruptions. Our analysts are currently monitoring for these types TTP’s in the underground.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings