Jump to content
  • Experts Shed Light On New Russian Malware-as-a-Service Written in Rust

    aum

    • 412 views
    • 3 minutes
     Share


    • 412 views
    • 3 minutes

    A nascent information-stealing malware sold and distributed on underground Russian underground forums has been written in Rust, signalling a new trend where threat actors are increasingly adopting exotic programming languages to bypass security protections, evade analysis, and hamper reverse engineering efforts.

     

    Dubbed "Ficker Stealer," it's notable for being propagated via Trojanized web links and compromised websites, luring in victims to scam landing pages purportedly offering free downloads of legitimate paid services like Spotify Music, YouTube Premium, and other Microsoft Store applications.

     

    "Ficker is sold and distributed as Malware-as-a-Service (MaaS), via underground Russian online forums," BlackBerry's research and intelligence team said in a report published today. "Its creator, whose alias is @ficker, offers several paid packages, with different levels of subscription fees to use their malicious program."

     

    First seen in the wild in August 2020, the Windows-based malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets, and browser information, in addition to functioning as a tool to grab sensitive files from the compromised machine, and act as a downloader to download and execute additional second-stage malware.

     

    malware.jpg

     

    Additionally, Ficker is known to be delivered through spam campaigns, which involve sending targeted phishing emails with weaponized macro-based Excel document attachments that, when opened, drops the Hancitor loader, which then injects the final payload using a technique called process hollowing to avoid detection and mask its activities.

     

    malware-as-a-service.jpg

     

    In the months that followed since its discovery, the digital threat has been found leveraging DocuSign-themed lures to install a Windows binary from an attacker-controlled server. CyberArk, in an analysis of the Ficker malware last month, noted its heavily obfuscated nature and Rust roots, making the analysis more difficult, if not prohibitive.

     

    "Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will often reach out to its command-and-control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download," BlackBerry researchers said.

     

    Aside from relying on obfuscation techniques, the malware also incorporates other anti-analysis checks that prevent it from running on virtualized environments and on victim machines located in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. Also worthy of particular note is that, unlike traditional information stealers, Ficker is designed to execute the commands and exfiltrate the information directly to the operators instead of writing the stolen data to disk.

     

    "The malware also has screen-capturing abilities, which allow the malware's operator to remotely capture an image of the victim's screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established," the researchers said. "Once information is sent back to Ficker's C2, the malware owner can access and search for all exfiltrated data."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...