Emerging Rust Malware Uses PowerShell to Evade UAC and Steal Data

A new Rust-based information-stealing malware named Fickle Stealer has been identified, using multiple attack vectors to compromise systems and extract sensitive information. According to Fortinet FortiGuard Labs, Fickle Stealer is being distributed through four different methods: VBA dropper, VBA downloader, link downloader, and executable downloader. Some of these methods employ a PowerShell script to bypass User Account Control (UAC) and execute the malware.

Attack Mechanism

The PowerShell script, referred to as "bypass.ps1" or "u.ps1," not only bypasses UAC but also periodically sends detailed information about the victim, including their country, city, IP address, operating system version, computer name, and username, to a Telegram bot controlled by the attacker. This enables the attacker to maintain persistent surveillance over the compromised host.

Once the stealer payload is activated, it runs several anti-analysis checks to detect if it is operating in a sandbox or virtual machine environment. If these checks are cleared, the malware connects to a remote server to exfiltrate data in JSON format.

Targeted Information

Fickle Stealer targets a wide array of applications and data sources, including cryptocurrency wallets, web browsers powered by Chromium and the Gecko browser engine (such as Google Chrome, Microsoft Edge, Brave, Vivaldi, and Mozilla Firefox), and popular applications like AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram. Additionally, it seeks out files with extensions such as .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat.

The malware also searches for sensitive files in the parent directories of common installation locations to ensure thorough data collection. It receives a target list from the command and control server, making Fickle Stealer highly adaptable and flexible in its operations.

Recent Developments

The emergence of Fickle Stealer comes on the heels of another revelation by Symantec regarding an open-source Python-based information stealer called AZStealer. This malware is designed to steal a wide variety of data and has been marketed on GitHub as an undetected Discord stealer. AZStealer exfiltrates stolen data either directly through Discord webhooks or by first uploading it to online file storage services before sending it via Discord.

Proactive Cybersecurity Measures

To counter such advanced threats, businesses should adopt comprehensive cybersecurity strategies, including stolen credentials detection, darknet monitoring services, dark web surveillance, and compromised data tracking. Digital footprint analysis, brand protection, brand impersonation defense, online risk evaluation, and digital threat scoring are essential components of a robust defense strategy. Partnering with Foresiet can provide advanced solutions tailored to protect your organization’s digital assets and reduce cybersecurity risks.

Conclusion

The rise of sophisticated malware like Fickle Stealer underscores the importance of robust cybersecurity practices and continuous vigilance. As cyber threats evolve, organizations must stay ahead by implementing advanced threat detection and mitigation strategies. By leveraging comprehensive cybersecurity solutions, businesses can protect their critical data and maintain their defenses against emerging threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.