Over the last week (26th of July 2021), CERT-AGID observed a malspam campaign whose intent was to spread the FickerStealer malware via the Hancitor loader to steal the credentials present on the victim’s machine. The emails, themed “Pagamenti“, contained an attached Word or Excel document, within which macros were recorded for downloading and executing the malware.

Hancitor

Hancitor is a loader, that is, malware whose task is to download (or extract) and execute a second malware to control the machine. In the case of Hancitor, several research teams have identified FickerStealer, Sendsafe, and Cobalt Strike Beacons as payloads.

The malware is detected in the form of Word documents or Excel spreadsheets containing a DLL file and the macros necessary for its extraction and execution via the Microsoft RunDll32.exe program.

FickerStealer

FickerStealer is a Malware-as-a-Service (MaaS). This type of malware is offered to criminal groups affiliated with the developers’ group and requires the payment of an access fee for the (time-limited) use of the malware.

In the case of FickerStealer, the product was advertised on Russian forums in the second half of 2020 and channels dedicated to supporting its use on Telegram were opened. Specifically, as observed by CERT-AGID, prices vary from $90 for a week up to $900 for six months of activity.

The malware is part of the Info-Stealer family and was designed to steal credentials and sensitive data present in the operating system, installed browsers and other software such as WinSCP, FileZilla, Steam, Discord and ThunderBird.

In addition, FickerStealer enumerates the crypto-wallets present in the system’s C:\Users\<UserName>\AppData\Roaming folder and does not run if the system language is one of the following:

  • ru-RU (Russia)
  • be-BY (Bielorussia)
  • uz-UZ (Uzbekistan)
  • ua-UA (Ucraina)
  • hy-AM (Armenia)
  • kk-KZ (Kazakistan)
  • az-AZ (Azerbaigian)

Static Analysis

DLL File

Tag

FickerStealer Hancitor

Details

md552DED1336D56FBA0AE37CEEE4F985153
sha1E100B3D171D68FA4EFBC0AEEBB301C9FFBD7735D
sha256385FC925B1AAF4B86AEAB9C368B6A101AB338B73D166CC7454162924A3B1D40E
File Size249856 bytes
Entropy4.317
VirusTotalScore: 35/62

Description

Di seguito vengono elencati gli Indicatori di Compromissione messi a disposizione dal CERT-AGID.

MD5

  • 4fcb584cd86c3a04b7e3357922204cb5
  • 338378927b00cbe6aa8c6620057755f9
  • 24190cd699631d16521dfb588b2571a3
  • 270c3859591599642bd15167765246e3

Sha1

  • e227a8a338166dc97e360ca9cddda5e007079c58
  • 3fd7b142d7e0dc0ae8350197585c2d0744027c1c
  • 546a86929e82babd0ee6f970d7729e3bf6a14698

Sha256

  • 99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6
  • e746a6d562555f4d2f840727c9a9f8967dddcf100bd8d5f48a6209b76dd43375
  • fe62ee36d2ee6bedf3181beb5880115696396a51fe65870ade1a0af60a22f128
  • dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019

Domains

  • anithedtatione[.]ru
  • falan4zadron[.]ru
  • pospvisis[.]com
  • bahujansangam[.]org
  • feedproxy[.]google[.]com
  • wiltuslads[.]ru
  • feedproxy[.]google[.]com
  • feedproxy[.]google[.]com
  • thervidolown[.]com
  • feedproxy[.]google[.]com

URL

  • hxxp://anithedtatione[.]ru/8/forum[.]php
  • hxxp://falan4zadron[.]ru/7hsjfd9w4refsd[.]exe
  • hxxp://pospvisis[.]com
  • hxxps://bahujansangam[.]org/insaneity[.]php
  • hxxp://feedproxy[.]google[.]com/~r/niqab/~3/SvG763Rcjf8/contagion[.]php
  • hxxp://wiltuslads[.]ru/8/forum[.]php
  • hxxp://feedproxy[.]google[.]com/~r/ddebvhnpl/~3/r564Ba1JvaM/haggle[.]php
  • hxxp://feedproxy[.]google[.]com/~r/hvkrnawm/~3/A_mGDDju4y8/insaneity[.]php
  • hxxp://thervidolown[.]com/8/forum[.]php
  • hxxp://feedproxy[.]google[.]com/~r/xrhjqrnh/~3/QrS209hUWag/hoping[.]php