{"id":2972,"date":"2021-07-26T12:20:46","date_gmt":"2021-07-26T10:20:46","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2972"},"modified":"2026-06-08T22:47:59","modified_gmt":"2026-06-08T22:47:59","slug":"fickerstealer-malspam-campaign","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/fickerstealer-malspam-campaign\/","title":{"rendered":"New Malspam campaign deploying FickerStealer Malware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In the past week, CERT-AGID observed a <em><strong>malspam<\/strong><\/em> campaign aimed at distributing the <strong><em>FickerStealer malware<\/em><\/strong> through the <strong><em>Hancitor<\/em><\/strong> <em><strong>loader<\/strong><\/em> to steal credentials present on the victim&#8217;s machine. The emails, themed around <strong>&#8220;Payments&#8221;<\/strong>, contained a <strong>Word<\/strong> or <strong>Excel<\/strong> document as an attachment, within which macros were embedded for downloading and executing the malware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hancitor\">Hancitor<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Hancitor<\/strong> is a <strong><em>loader<\/em><\/strong>, that is, a malware whose task is to download (or extract) and execute a second malware for machine control. In the case of Hancitor, multiple research teams have identified <strong><em>FickerStealer<\/em><\/strong>, <strong><em>Sendsafe<\/em><\/strong>, and <strong><em>Cobalt Strike<\/em><\/strong> <strong><em>Beacons<\/em><\/strong> as <em>payloads<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware is identified in the form of Word documents or Excel worksheets containing a <strong>DLL<\/strong> file and the macros necessary for extraction and execution of the same through the Microsoft <strong>RunDll32.exe<\/strong> program.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-fickerstealer\">FickerStealer<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>FickerStealer<\/strong> is a <strong>Malware-as-a-Service (MaaS)<\/strong>. This type of malware is offered to criminal groups affiliated with the developer group and requires payment of an access fee for (time-limited) use of the malware.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the case of <strong>FickerStealer<\/strong>, the product was advertised on Russian forums in the second half of 2020 and dedicated support channels were opened for its use on Telegram. Specifically, as observed by CERT-AGID, prices range from 90$ for one week up to 900$ for six months of activity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware belongs to the <strong><em>Info-Stealer<\/em><\/strong> family and was designed to steal credentials and sensitive data present in the operating system, installed browsers, and other software such as WinSCP, FileZilla, Steam, Discord, and ThunderBird.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Additionally, FickerStealer enumerates crypto-wallets present in the <strong><em>C:\\Users\\&lt;Username&gt;\\AppData\\Roaming<\/em><\/strong> folder of the system and does not execute if the system language is one of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ru-RU (Russia)<\/li>\n\n\n\n<li>be-BY (Belarus)<\/li>\n\n\n\n<li>uz-UZ (Uzbekistan)<\/li>\n\n\n\n<li>ua-UA (Ukraine)<\/li>\n\n\n\n<li>hy-AM (Armenia)<\/li>\n\n\n\n<li>kk-KZ (Kazakhstan)<\/li>\n\n\n\n<li>az-AZ (Azerbaijan)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-analisi-statica\">Static Analysis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-file-dll\">DLL File<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-tag\">Tags<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#0da5e6\" class=\"tadv-background-color\">  FickerStealer  <\/span>  <\/span> <span style=\"background-color:#a30018\" class=\"tadv-background-color\"><span style=\"color:#ffffff\" class=\"tadv-color\"> Hancitor  <\/span><\/span><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-dettagli\">Details<\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td>md5<\/td><td>52DED1336D56FBA0AE37CEEE4F985153<\/td><\/tr><tr><td>sha1<\/td><td>E100B3D171D68FA4EFBC0AEEBB301C9FFBD7735D<\/td><\/tr><tr><td>sha256<\/td><td>385FC925B1AAF4B86AEAB9C368B6A101AB338B73D166CC7454162924A3B1D40E<\/td><\/tr><tr><td>File Size<\/td><td>249 856 bytes<\/td><\/tr><tr><td>Entropy<\/td><td>4.317<\/td><\/tr><tr><td>VirusTotal<\/td><td>Score: 35\/62<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-descrizione\">Description<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">DLL file extracted from the malicious XLS document. Its function consists of launching the FickerStealer malware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-indicatori-di-compromissione\">Indicators of Compromise<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The following <strong>Indicators of Compromise<\/strong> have been provided by CERT-AGID. Tracking such indicators through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> platforms enables rapid detection and response to related intrusion attempts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-md5\">MD5<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>4fcb584cd86c3a04b7e3357922204cb5<\/li>\n\n\n\n<li>338378927b00cbe6aa8c6620057755f9<\/li>\n\n\n\n<li>24190cd699631d16521dfb588b2571a3<\/li>\n\n\n\n<li>270c3859591599642bd15167765246e3<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sha1\">SHA1<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>e227a8a338166dc97e360ca9cddda5e007079c58<\/li>\n\n\n\n<li>3fd7b142d7e0dc0ae8350197585c2d0744027c1c<\/li>\n\n\n\n<li>546a86929e82babd0ee6f970d7729e3bf6a14698<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sha256\">SHA256<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6 <\/li>\n\n\n\n<li>e746a6d562555f4d2f840727c9a9f8967dddcf100bd8d5f48a6209b76dd43375             <\/li>\n\n\n\n<li>fe62ee36d2ee6bedf3181beb5880115696396a51fe65870ade1a0af60a22f128            <\/li>\n\n\n\n<li>dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-domini\">Domains<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>anithedtatione[.]ru<\/li>\n\n\n\n<li>falan4zadron[.]ru<\/li>\n\n\n\n<li>pospvisis[.]com<\/li>\n\n\n\n<li>bahujansangam[.]org<\/li>\n\n\n\n<li>feedproxy[.]google[.]com<\/li>\n\n\n\n<li>wiltuslads[.]ru<\/li>\n\n\n\n<li>feedproxy[.]google[.]com<\/li>\n\n\n\n<li>feedproxy[.]google[.]com<\/li>\n\n\n\n<li>thervidolown[.]com<\/li>\n\n\n\n<li>feedproxy[.]google[.]com<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-url\">URLs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxp:\/\/anithedtatione[.]ru\/8\/forum[.]php<\/li>\n\n\n\n<li>hxxp:\/\/falan4zadron[.]ru\/7hsjfd9w4refsd[.]exe<\/li>\n\n\n\n<li>hxxp:\/\/pospvisis[.]com<\/li>\n\n\n\n<li>hxxps:\/\/bahujansangam[.]org\/insaneity[.]php<\/li>\n\n\n\n<li>hxxp:\/\/feedproxy[.]google[.]com\/~r\/niqab\/~3\/SvG763Rcjf8\/contagion[.]php<\/li>\n\n\n\n<li>hxxp:\/\/wiltuslads[.]ru\/8\/forum[.]php<\/li>\n\n\n\n<li>hxxp:\/\/feedproxy[.]google[.]com\/~r\/ddebvhnpl\/~3\/r564Ba1JvaM\/haggle[.]php<\/li>\n\n\n\n<li>hxxp:\/\/feedproxy[.]google[.]com\/~r\/hvkrnawm\/~3\/A_mGDDju4y8\/insaneity[.]php<\/li>\n\n\n\n<li>hxxp:\/\/thervidolown[.]com\/8\/forum[.]php<\/li>\n\n\n\n<li>hxxp:\/\/feedproxy[.]google[.]com\/~r\/xrhjqrnh\/~3\/QrS209hUWag\/hoping[.]php<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The convergence of commodity loaders such as Hancitor with MaaS-distributed info-stealers demonstrates the operational efficiency of modular malware distribution chains. Organizations must maintain continuous monitoring of macro-enabled document delivery and enforce application whitelisting to disrupt T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) attack patterns at the delivery stage.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FickerStealer malspam wave: lure templates, document-based delivery, info-stealing capabilities and host-level indicators for endpoint detection.<\/p>\n","protected":false},"author":1,"featured_media":7097,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[2728,3212,3213,211,3214],"class_list":["post-2972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-fickerstealer","tag-information-stealer","tag-macro-based-delivery","tag-malspam","tag-t1566-001"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2972"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2972\/revisions"}],"predecessor-version":[{"id":9872,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2972\/revisions\/9872"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/7097"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}