Ficker Malware, also known as FickerStealer, has been reported in several attacks this month, highlighting the importance of paying attention to URLs when browsing the web. Malware is often found within sites holding fraudulent URLs, as is the case in a report from ESET. The report shows hackers using the Ficker malware have been hosting it on seemingly legitimate websites, purporting to be Spotify and the Microsoft Store. Once Ficker infects a machine, it scans installed browsers for passwords, credit card information, and any sensitive details saved to a browser.
As well as fake websites built around Spotify and the Microsoft Store, the hackers have also created a fake online document converter. The campaign at present is mostly centered around South America, but as with many campaigns, its success may lead it further north.
Jiri Kropac, ESET’s Head of Threat Detection Labs, BleepingComputer learned that the attack is conducted through malicious advertising that promotes what appears to be legitimate applications.
For example, one of the advertisements used in this attack promotes an online Chess application, as shown below.
When the user clicks on this ad, they are brought to an alleged Microsoft Store page for a fake ‘xChess 3’ online chess application, which is automatically downloaded from an Amazon AWS server.
The downloaded zip file is named ‘xChess_v.709.zip’, which is actually Ficker malware.
The attack vector is similar with Spotify. The victim will be shown an advertisement for Spotify with Youtube Premium free for 90 days. After clicking through, they are brought to a page with Ficker Malware ready to download.
Once the user unzips the file and launches the .exe, Ficker Malware is installed on their machine.
According to BleepingComputer, Ficker was released on Russian-speaking hacker forums in January when the developer began renting out the malware to other threat actors. The malware itself acts as an information-stealing Trojan. In a forum post, the developer describes the malware’s capabilities and allows other threat actors to rent the software from anyone from one week up to six months.
Using this malware, threat actors can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients.
In addition to stealing passwords, the developer claims the malware can steal over fifteen cryptocurrency wallets, steal documents, and take screenshots of the active applications running on victims’ computers.
This information is then compiled into a zip file and transmitted back to the attacker, where they can then extract the data and use it for other malicious activities.
Ficker Malware Analysis
Most the the analysis found here has been carried out by Minerva Labs.
Ficker is a MaaS (Malware-as-a-Service) stealer that is sold on hacking forums. Its main goal is to steal sensitive information cached by the user – specifically browser passwords – and send it back to the virus’ owner. In a lab setting, researchers witnessed Ficker downloading Kronos RAT. Its potential as a malware loader makes it potentially more dangerous.
The virus will decrypt the final payload in-memory and then spawn another instance of itself, which will be injected with the decrypted payload. A unique evasive technique observed in the sample studied by researchers is the creation of multiple mutexes in a loop to confuse analysts, thus complicating the process of determining the infection marker used by the malware.
The following mutexes are created:
Only the latter affects the malware’s execution flow, as its existence will cause the malware to terminate.
Another feature of Ficker is that it will not execute on computers with certain locales, a common behavior in Russian developed malware who want to avoid government attention by not infecting domestically. The malware uses the function GetUserDefaultLocaleName to determine the locale of the computer, and will not execute if the following country codes are found:
The locale API call:
The virus uses the service ipify.org to get the external IP address of the device it is infecting, using the function URLDownloadToFile it downloads this information from the web service and saves it to the file C:\ProgramData\kaosdma.txt.
Attacks like these rely heavily on social engineering and duping users. For times when the dupe is too convincing for the human eye, there’s SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.