New Malspam campaign deploying FickerStealer Malware

July 26, 2021 · frtg · 4 min read

In the past week, CERT-AGID observed a malspam campaign aimed at distributing the FickerStealer malware through the Hancitor loader to steal credentials present on the victim’s machine. The emails, themed around “Payments”, contained a Word or Excel document as an attachment, within which macros were embedded for downloading and executing the malware.

Hancitor

Hancitor is a loader, that is, a malware whose task is to download (or extract) and execute a second malware for machine control. In the case of Hancitor, multiple research teams have identified FickerStealer, Sendsafe, and Cobalt Strike Beacons as payloads.

The malware is identified in the form of Word documents or Excel worksheets containing a DLL file and the macros necessary for extraction and execution of the same through the Microsoft RunDll32.exe program.

FickerStealer

FickerStealer is a Malware-as-a-Service (MaaS). This type of malware is offered to criminal groups affiliated with the developer group and requires payment of an access fee for (time-limited) use of the malware.

In the case of FickerStealer, the product was advertised on Russian forums in the second half of 2020 and dedicated support channels were opened for its use on Telegram. Specifically, as observed by CERT-AGID, prices range from 90$ for one week up to 900$ for six months of activity.

The malware belongs to the Info-Stealer family and was designed to steal credentials and sensitive data present in the operating system, installed browsers, and other software such as WinSCP, FileZilla, Steam, Discord, and ThunderBird.

Additionally, FickerStealer enumerates crypto-wallets present in the C:\Users\<Username>\AppData\Roaming folder of the system and does not execute if the system language is one of the following:

ru-RU (Russia)
be-BY (Belarus)
uz-UZ (Uzbekistan)
ua-UA (Ukraine)
hy-AM (Armenia)
kk-KZ (Kazakhstan)
az-AZ (Azerbaijan)

Static Analysis

DLL File

Details

md5	52DED1336D56FBA0AE37CEEE4F985153
sha1	E100B3D171D68FA4EFBC0AEEBB301C9FFBD7735D
sha256	385FC925B1AAF4B86AEAB9C368B6A101AB338B73D166CC7454162924A3B1D40E
File Size	249 856 bytes
Entropy	4.317
VirusTotal	Score: 35/62

Description

DLL file extracted from the malicious XLS document. Its function consists of launching the FickerStealer malware.

Indicators of Compromise

The following Indicators of Compromise have been provided by CERT-AGID. Tracking such indicators through Cyber Threat Intelligence platforms enables rapid detection and response to related intrusion attempts.

MD5

4fcb584cd86c3a04b7e3357922204cb5
338378927b00cbe6aa8c6620057755f9
24190cd699631d16521dfb588b2571a3
270c3859591599642bd15167765246e3

SHA1

e227a8a338166dc97e360ca9cddda5e007079c58
3fd7b142d7e0dc0ae8350197585c2d0744027c1c
546a86929e82babd0ee6f970d7729e3bf6a14698

SHA256

99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6
e746a6d562555f4d2f840727c9a9f8967dddcf100bd8d5f48a6209b76dd43375
fe62ee36d2ee6bedf3181beb5880115696396a51fe65870ade1a0af60a22f128
dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019

Domains

anithedtatione[.]ru
falan4zadron[.]ru
pospvisis[.]com
bahujansangam[.]org
feedproxy[.]google[.]com
wiltuslads[.]ru
feedproxy[.]google[.]com
feedproxy[.]google[.]com
thervidolown[.]com
feedproxy[.]google[.]com

URLs

hxxp://anithedtatione[.]ru/8/forum[.]php
hxxp://falan4zadron[.]ru/7hsjfd9w4refsd[.]exe
hxxp://pospvisis[.]com
hxxps://bahujansangam[.]org/insaneity[.]php
hxxp://feedproxy[.]google[.]com/~r/niqab/~3/SvG763Rcjf8/contagion[.]php
hxxp://wiltuslads[.]ru/8/forum[.]php
hxxp://feedproxy[.]google[.]com/~r/ddebvhnpl/~3/r564Ba1JvaM/haggle[.]php
hxxp://feedproxy[.]google[.]com/~r/hvkrnawm/~3/A_mGDDju4y8/insaneity[.]php
hxxp://thervidolown[.]com/8/forum[.]php
hxxp://feedproxy[.]google[.]com/~r/xrhjqrnh/~3/QrS209hUWag/hoping[.]php

The convergence of commodity loaders such as Hancitor with MaaS-distributed info-stealers demonstrates the operational efficiency of modular malware distribution chains. Organizations must maintain continuous monitoring of macro-enabled document delivery and enforce application whitelisting to disrupt T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) attack patterns at the delivery stage.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.