Posted on Leave a comment

A New Malware-As-A-Service Sold In DarkWeb.

Experts from Cyberark have come across a new Malware-as-a-service which is being sold in Underground dubbed “FickerStealer”. Researchers added, that this malware is using exotic programming language such as Rust for staying undetected and using obfuscation techniques to bypass various security controls.

The subscription of malware is being sold for atleast from $90 to $900 in underground. Upon purchase of the service, the buyer receives the server setup and a stealer executable(build) which will be provided after configuring with buyers C2 servers.

“The malware is used to steal sensitive information, including login credentialscredit card informationcryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later).”

Source: Cyberark

Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.” reads the blogpost.

Researchers observed that FickerStealer has multiple advantages over other stealers available in the market such as no dependencies on downloading additional files(dll’s , exe’s, etc), Encrypted communication channel, immediate data exfiltration to C2 server after stealing the files with compression, along with download & execute feature.

CyberArk researchers had released the de-obfuscator script on their repository for the public usage.

Indicator of Compromise:

Hashes
a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6
25fe7dd7a49dac5706ac0772f8baf415e7b554e68d904bc2e026ac2cb4848527
6029558794981d135cf41756c3e2de0cb4b08f1533a7dcd945b2ac9ff02535bf
ed635f60d1cc542377ea9f0b0723f19fe998a8eb6319373a1a3177066d5d4816
382055f0fca8a6172846236a2a9031ce9103359673b4b13e1c4c04bc1861d941
94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1
25fe7dd7a49dac5706ac0772f8baf415e7b554e68d904bc2e026ac2cb4848527
5a904972e7ce7ef0b9484daa3eee9860ece27845692ca5750d2b80b24acd6a8f
6029558794981d135cf41756c3e2de0cb4b08f1533a7dcd945b2ac9ff02535bf
b00121c90392716403386a4d407015430e121eced0603af7dc0c8a996a61cb5f
e5ac51cbaab11a34c180417118933758ceae64d5fbbc00ebf210e6664963082c
4abf05cd0f538e42237328617711752687faddfe314afe5adf07a24155305df5

C2 servers

45.141.84[.]139:80
195.154.168[.]132:81
sweyblidian[.]com:80
mamkindomen[.]info:80
93.115.22[.]72:80
95.217.5[.]249:80
139.59.66[.]32:81

Source: CyberArk

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply