Over the last week (26th of July 2021), CERT-AGID observed a malspam campaign whose intent was to spread the FickerStealer malware via the Hancitor loader to steal the credentials present on the victim’s machine. The emails, themed “Pagamenti“, contained an attached Word or Excel document, within which macros were recorded for downloading and executing the malware.
Hancitor
Hancitor is a loader, that is, malware whose task is to download (or extract) and execute a second malware to control the machine. In the case of Hancitor, several research teams have identified FickerStealer, Sendsafe, and Cobalt Strike Beacons as payloads.
The malware is detected in the form of Word documents or Excel spreadsheets containing a DLL file and the macros necessary for its extraction and execution via the Microsoft RunDll32.exe program.
FickerStealer
FickerStealer is a Malware-as-a-Service (MaaS). This type of malware is offered to criminal groups affiliated with the developers’ group and requires the payment of an access fee for the (time-limited) use of the malware.
In the case of FickerStealer, the product was advertised on Russian forums in the second half of 2020 and channels dedicated to supporting its use on Telegram were opened. Specifically, as observed by CERT-AGID, prices vary from $90 for a week up to $900 for six months of activity.
The malware is part of the Info-Stealer family and was designed to steal credentials and sensitive data present in the operating system, installed browsers and other software such as WinSCP, FileZilla, Steam, Discord and ThunderBird.
In addition, FickerStealer enumerates the crypto-wallets present in the system’s C:\Users\<UserName>\AppData\Roaming folder and does not run if the system language is one of the following:
- ru-RU (Russia)
- be-BY (Bielorussia)
- uz-UZ (Uzbekistan)
- ua-UA (Ucraina)
- hy-AM (Armenia)
- kk-KZ (Kazakistan)
- az-AZ (Azerbaigian)
Static Analysis
DLL File
Tag
FickerStealer Hancitor
Details
| md5 | 52DED1336D56FBA0AE37CEEE4F985153 |
| sha1 | E100B3D171D68FA4EFBC0AEEBB301C9FFBD7735D |
| sha256 | 385FC925B1AAF4B86AEAB9C368B6A101AB338B73D166CC7454162924A3B1D40E |
| File Size | 249856 bytes |
| Entropy | 4.317 |
| VirusTotal | Score: 35/62 |
Description
Di seguito vengono elencati gli Indicatori di Compromissione messi a disposizione dal CERT-AGID.
MD5
- 4fcb584cd86c3a04b7e3357922204cb5
- 338378927b00cbe6aa8c6620057755f9
- 24190cd699631d16521dfb588b2571a3
- 270c3859591599642bd15167765246e3
Sha1
- e227a8a338166dc97e360ca9cddda5e007079c58
- 3fd7b142d7e0dc0ae8350197585c2d0744027c1c
- 546a86929e82babd0ee6f970d7729e3bf6a14698
Sha256
- 99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6
- e746a6d562555f4d2f840727c9a9f8967dddcf100bd8d5f48a6209b76dd43375
- fe62ee36d2ee6bedf3181beb5880115696396a51fe65870ade1a0af60a22f128
- dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019
Domains
- anithedtatione[.]ru
- falan4zadron[.]ru
- pospvisis[.]com
- bahujansangam[.]org
- feedproxy[.]google[.]com
- wiltuslads[.]ru
- feedproxy[.]google[.]com
- feedproxy[.]google[.]com
- thervidolown[.]com
- feedproxy[.]google[.]com
URL
- hxxp://anithedtatione[.]ru/8/forum[.]php
- hxxp://falan4zadron[.]ru/7hsjfd9w4refsd[.]exe
- hxxp://pospvisis[.]com
- hxxps://bahujansangam[.]org/insaneity[.]php
- hxxp://feedproxy[.]google[.]com/~r/niqab/~3/SvG763Rcjf8/contagion[.]php
- hxxp://wiltuslads[.]ru/8/forum[.]php
- hxxp://feedproxy[.]google[.]com/~r/ddebvhnpl/~3/r564Ba1JvaM/haggle[.]php
- hxxp://feedproxy[.]google[.]com/~r/hvkrnawm/~3/A_mGDDju4y8/insaneity[.]php
- hxxp://thervidolown[.]com/8/forum[.]php
- hxxp://feedproxy[.]google[.]com/~r/xrhjqrnh/~3/QrS209hUWag/hoping[.]php
