Experts from Cyberark have come across a new Malware-as-a-service which is being sold in Underground dubbed “FickerStealer”. Researchers added, that this malware is using exotic programming language such as Rust for staying undetected and using obfuscation techniques to bypass various security controls.
The subscription of malware is being sold for atleast from $90 to $900 in underground. Upon purchase of the service, the buyer receives the server setup and a stealer executable(build) which will be provided after configuring with buyers C2 servers.
“The malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later).”
“Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.” reads the blogpost.
Researchers observed that FickerStealer has multiple advantages over other stealers available in the market such as no dependencies on downloading additional files(dll’s , exe’s, etc), Encrypted communication channel, immediate data exfiltration to C2 server after stealing the files with compression, along with download & execute feature.
CyberArk researchers had released the de-obfuscator script on their repository for the public usage.
Indicator of Compromise:
Hashes
| a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6 |
| 25fe7dd7a49dac5706ac0772f8baf415e7b554e68d904bc2e026ac2cb4848527 |
| 6029558794981d135cf41756c3e2de0cb4b08f1533a7dcd945b2ac9ff02535bf |
| ed635f60d1cc542377ea9f0b0723f19fe998a8eb6319373a1a3177066d5d4816 |
| 382055f0fca8a6172846236a2a9031ce9103359673b4b13e1c4c04bc1861d941 |
| 94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1 |
| 25fe7dd7a49dac5706ac0772f8baf415e7b554e68d904bc2e026ac2cb4848527 |
| 5a904972e7ce7ef0b9484daa3eee9860ece27845692ca5750d2b80b24acd6a8f |
| 6029558794981d135cf41756c3e2de0cb4b08f1533a7dcd945b2ac9ff02535bf |
| b00121c90392716403386a4d407015430e121eced0603af7dc0c8a996a61cb5f |
| e5ac51cbaab11a34c180417118933758ceae64d5fbbc00ebf210e6664963082c |
| 4abf05cd0f538e42237328617711752687faddfe314afe5adf07a24155305df5 |
C2 servers
| 45.141.84[.]139:80 |
| 195.154.168[.]132:81 |
| sweyblidian[.]com:80 |
| mamkindomen[.]info:80 |
| 93.115.22[.]72:80 |
| 95.217.5[.]249:80 |
| 139.59.66[.]32:81 |
Source: CyberArk
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1