FortiGuard Labs analyzes Fickle Stealer, a Rust-based stealer distributed through a multi-stage attack chain (Delivery, Preparatory Work, and Packer/Stealer Payload) that leverages VBA macros, PowerShell, and various downloaders to drop and execute the malware. It exfiltrates victim data to a server, reports status via a Telegram bot, and uses a packer to evade static analysis. #FickleStealer #FortiGuard #TelegramBot #PowerShell
Keypoints
- Fickle Stealer is a Rust-based stealer observed by FortiGuard Labs in May 2024, noted for its intricate code and flexible targeting.
- Attack chain is divided into three stages: Delivery, Preparatory Work, and Packer and Stealer Payload, with multiple delivery paths.
- Delivery methods include VBA dropper, VBA downloader, link downloader, and executable downloader, often downloading a PowerShell script (u.ps1 or bypass.ps1).
- Preparatory work revolves around bypassing defenses (UAC) and setting up task execution, including fake WmiMgmt.msc and a web page to deliver the stealer.
- The packer disguises the stealer as a legitimate executable, complicating static analysis by modifying a function and executing in memory.
- Stealer payload features anti-analysis checks, mutex-based race prevention, data collection from wallets and browsers, and RC4-encrypted target lists sent to a C2 server; data is then exfiltrated in JSON format.
MITRE Techniques
- [T1566.001] Phishing – Phishing via a Word document with VBA macros that load and execute a script. –
“This attack chain starts with a Word document. Its VBA macro loads an XML file stored in the caption of a UserForm object and executes a script encoded with Windows Script Encoder in the XML file.” - [T1059.001] PowerShell – The downloader/preparatory work relies on PowerShell scripts. –
“download a PowerShell script for preparatory work.” - [T1027] Obfuscated/Compressed Files – Script encoded in XML using Windows Script Encoder. –
“a script encoded with Windows Script Encoder in the XML file.” - [T1059.005] Visual Basic for Applications – VBA macro-based delivery chains (VBA dropper/downloader). –
“VBA dropper” / “VBA downloader” sections describe VBA-based delivery. - [T1053.005] Scheduled Task – Creates a new task to run engine.ps1 after 15 minutes. –
“it creates a new task that executes engine.ps1 after 15 minutes.” - [T1548.002] Bypass UAC – Bypasses User Account Control to execute Fickle Stealer. –
“To bypass UAC, u.ps1 drops a copy of WmiMgmt.msc and a fake WmiMgmt.msc to the following paths.” - [T1047] Windows Management Instrumentation – Uses WMI-related checks to detect environment. –
“Query string: SELECT Name FROM Win32_Process” (and other WMI checks described to detect analysis). - [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks show null results in some VMs; sandbox detection. –
“The results of querying the following WMI objects are null in some virtual machines.” - [T1036] Masquerading – Packer masquerades as a legitimate executable to evade detection. –
“The packer disguised as a legal executable.” - [T1059.003] Windows Command Shell – Use of cmd.exe in cleanup/exfiltration processes. –
“cmd.exe /c timeout /t 5 & del /f /q {stealer} & exit.” - [T1041] Exfiltration Over C2 Channel – Stolen data sent to a remote server in JSON/Deflate format. –
“The stolen data is stored in a specific JSON format… After being compressed with the Deflate algorithm, the JSON-formatted data is sent to the server.”
Indicators of Compromise
- [IP Addresses] 144.208.127.230, 185.213.208.245, 138.124.184.210 – observed as C2 or download infrastructure.
- [Domain/URL] hxxps:// github[.]com/SkorikJR – referenced as a URL in the campaign.
- [File Hashes] 1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59, ad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9 – example delivery/downloaders.
- [File Hashes] 8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f – additional downloader/script.
- [File] u.ps1 – PowerShell loader (hashes included in IOC list). –
011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38 - [File] engine.ps1, inject.ps1, tgmes.ps1, and other script files listed with multiple hashes (examples shown). –
70363b97f955e5d30fb8d3a8d2a439303f88707420c05f051f87e0458fdfffc2