The Ficker Stealer malware used for data exfiltration

1 5

A new Windows data-stealing cyber threat written in Rust was recently reported. The name of the malware is Ficker Stealer, and it is currently being distributed via Russian forums as malware-as-a-service (MaaS). The virus typically spreads via malicious pages that lure potential victims to download fake free versions of popular paid apps and services, including YouTube Premium, Spotify Music, and other applications that are normally available on the Microsoft Store.

In a report by BlackBerry security researchers published yesterday, it is explained that the creator of the virus, who goes by the forum name of @ficker, offers his malicious program as a service that can be hired and even offers several different “subscription plans”.

The threat was first detected back in August last year, and its primary goal is to exfiltrate sensitive user information such as credit and debit card numbers, other banking details, login credentials, cryptocurrency wallets information, browser data, and more. Another notable ability of this threat is to automatically download additional malware onto the attacked computer without the user’s knowledge.

Some other potential ways this threat could get spread around the web is via spam email campaigns, phishing online messages, malicious macro-based Excel file attachments, and more. Often, the user first gets infected with a malware loader known as Hancitor which, once activated, injects the Ficker Stealer into the user’s computer.

In an analysis of this malware by CyberArk that was posted last month, the security firm notes that the threat has been discovered to leverage DocuSign lures that allow it to install Windows binaries loaded from the hackers’ server. 

According to the analysis, the nature of the Rust coding language makes it significantly more difficult to properly analyze the threat. 

BlackBerry researchers report that once the DocuSign document is started on the targeted machine and the Hancitor loader enters the system, the loader will begin to communicate with the attackers’ server and receive from it a malicious URL that is used to start the Ficker Stealer download.

In addition to its data-gathering abilities, the Ficker Stealer threat can also allow whoever’s using it to remotely take screen-caps of the victim’s screen. In addition, the threat also has file-grabbing abilities, as well as the ability to download additional malware onto the attacked system.

Similarly to many other threats coming from the region of Russia and its neighbouring countries, the Ficker Stealer malware has built-in location-recognition features that prevent it from operating within systems that are located in Russia, Armenia, Belarus, Uzbekistan, and Azerbaijan. This is a common practice among hackers from that region, and it’s often the reason for researchers to assume that hackers who limit their malware in this way are either supported by their respective government or are even sponsored by it. There’s currently no information about whether that is the case with the Ficker Stealer hackers.


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment