Experts identify a new Russian Malware
Experts have identified a new malware used on underground forums in Russia, which has been written in the high-level general programing language, Rust. This gives rise to the new trend among hackers where they use programming languages to dodge security practices.
Termed as Ficker Stealer, it is sold as Malware-as-a-Service (MaaS) through Trojanized web links and compromised websites. It tempts victims by offering them free downloads to services like YouTube Premium, Spotify Music, and other such applications, resulting in scamming the landing pages.
Also Read: Android Trojan compromises Facebook Accounts
A report by BlackBerry’s research and intelligence team states Ficker to be distributed via underground forums in Russia, where it offers various paid packages with different subscription fees to get access to its malicious program.
Ficker was first observed in the wild last August and is pro in stealing information like login credentials, credit card details, crypto wallets, and browser information. It is also used as a resource that grabs files from the infected systems and acts as a doorway for other second-stage malware.
In addition to all this, the malware also has the capability to be delivered through emails where infected macro-based Excel document attachments are sent, dropping the Hancitor loader when downloaded. This is responsible for injecting the final payload through process hollowing, allowing it to mask its actions.
Blackberry researchers also pointed out that Ficker is using DocuSign-themed attractions, installing Windows binary from a controlled server. Once this document is opened and the code is run, Hancitor reaches the C2 infrastructure to get a URL with a sample of Ficker.
It has also been observed that Ficker is designed in a way that it executes commands and exfiltrates information directly to the operators rather than writing the stolen data to disk. One more attribute of the malware is its screen-capturing ability, allowing the attacker to capture a snap of the victim’s screen.
The experts further elaborated that the malware also allows file-grabbing and downloading, once the C2 connection is made. This can help the threat actor to access the exfiltrated data.