Security pros are warning of a new infostealer being distributed using different methods across the internet.
Fickle Stealer does the usual tactics – steals sensitive files, system information, files stored in the browser, cryptocurrency wallet information, and more – but what’s somewhat unusual about Fickle Stealer is that it is built on Rust.
“In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering,” security researcher Pei Han Liao said. “It also receives a target list from the server, which makes Fickle Stealer more flexible.”
Evading infostealers
Cybersecurity researchers from Fortinet FortiGuard Labs are saying that there are four separate distribution methods for Fickle Stealer, including a VBA dropper, a VBA downloader, link downloader, and executable downloader.
Some of these methods are also using a PowerShell script which bypasses User Account Control (UAC) mechanisms, as well. The PowerShell script also sends out system information such as the device’s country and city, IP address, operating system version, computer name, and username.
All of the data is exfiltrated to a Telegram bot.
Next to ransomware, infostealers are some of the most popular and most disruptive forms of malware out there. They allow threat actors to gain access to sensitive services, such as banking accounts, social media profiles, and corporate platforms. What’s more, with cryptocurrency wallet data, hackers can import the information into their own wallets, essentially stealing whatever money they find there.
Lastly, infostealers allow them to access people’s email inboxes, which can then lead to phishing attacks, impersonation and identity theft, and even ransomware attacks on corporate IT infrastructure.
Securing a device against infostealers is the same as securing it against any other form of malware – by not downloading and running suspicious files, and by double-checking all the attachments coming in the email.
Via TheHackerNews