{"id":7099,"date":"2023-09-20T08:34:09","date_gmt":"2023-09-20T08:34:09","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=7099"},"modified":"2023-12-15T14:57:16","modified_gmt":"2023-12-15T14:57:16","slug":"new-malspam-campaign-to-deploy-fickerstealer-malware","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/cyber-security-news\/new-malspam-campaign-to-deploy-fickerstealer-malware\/","title":{"rendered":"New Malspam campaign to deploy FickerStealer Malware"},"content":{"rendered":"\n

Over the last week (26th of July 2021), CERT-AGID observed a malspam<\/strong> campaign whose intent was to spread the FickerStealer malware<\/strong> via the Hancitor loader<\/strong> to steal the credentials present on the victim’s machine. The emails, themed “Pagamenti<\/strong>“, contained an attached Word<\/strong> or Excel<\/strong> document, within which macros were recorded for downloading and executing the malware.<\/p>\n\n\n\n

Hancitor<\/h2>\n\n\n\n

Hancitor<\/strong> is a loader<\/strong>, that is, malware whose task is to download (or extract) and execute a second malware to control the machine. In the case of Hancitor, several research teams have identified FickerStealer, Sendsafe, <\/strong>and Cobalt Strike<\/strong> Beacons<\/strong> as payloads<\/em>.<\/p>\n\n\n\n

The malware is detected in the form of Word documents or Excel spreadsheets containing a DLL file and the macros necessary for its extraction and execution via the Microsoft RunDll32.exe program.<\/p>\n\n\n\n

FickerStealer<\/h2>\n\n\n\n

FickerStealer <\/strong>is a Malware-as-a-Service (MaaS)<\/strong>. This type of malware is offered to criminal groups affiliated with the developers’ group and requires the payment of an access fee for the (time-limited) use of the malware.<\/p>\n\n\n\n

In the case of FickerStealer<\/strong>, the product was advertised on Russian forums in the second half of 2020 and channels dedicated to supporting its use on Telegram were opened. Specifically, as observed by CERT-AGID, prices vary from $90 for a week up to $900 for six months of activity.<\/p>\n\n\n\n

The malware is part of the Info-Stealer<\/strong> family and was designed to steal credentials and sensitive data present in the operating system, installed browsers and other software such as WinSCP, FileZilla, Steam, Discord and ThunderBird.<\/p>\n\n\n\n

In addition, FickerStealer enumerates the crypto-wallets present in the system’s C:\\Users\\<UserName>\\AppData\\Roaming<\/strong> folder and does not run if the system language is one of the following:<\/p>\n\n\n\n

    \n
  • ru-RU (Russia)<\/li>\n\n\n\n
  • be-BY (Bielorussia)<\/li>\n\n\n\n
  • uz-UZ (Uzbekistan)<\/li>\n\n\n\n
  • ua-UA (Ucraina)<\/li>\n\n\n\n
  • hy-AM (Armenia)<\/li>\n\n\n\n
  • kk-KZ (Kazakistan)<\/li>\n\n\n\n
  • az-AZ (Azerbaigian)<\/li>\n<\/ul>\n\n\n\n

    Static Analysis<\/h2>\n\n\n\n

    DLL File<\/h3>\n\n\n\n

    Tag<\/h4>\n\n\n\n

    FickerStealer Hancitor<\/strong><\/p>\n\n\n\n

    Details<\/h4>\n\n\n\n
    md5<\/td>52DED1336D56FBA0AE37CEEE4F985153<\/td><\/tr>
    sha1<\/td>E100B3D171D68FA4EFBC0AEEBB301C9FFBD7735D<\/td><\/tr>
    sha256<\/td>385FC925B1AAF4B86AEAB9C368B6A101AB338B73D166CC7454162924A3B1D40E<\/td><\/tr>
    File Size<\/td>249856 bytes<\/td><\/tr>
    Entropy<\/td>4.317<\/td><\/tr>
    VirusTotal<\/td>Score: 35\/62<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Description<\/h4>\n\n\n\n

    Di seguito vengono elencati gli Indicatori di Compromissione<\/strong> messi a disposizione dal CERT-AGID.<\/p>\n\n\n\n

    MD5<\/h3>\n\n\n\n
      \n
    • 4fcb584cd86c3a04b7e3357922204cb5<\/li>\n\n\n\n
    • 338378927b00cbe6aa8c6620057755f9<\/li>\n\n\n\n
    • 24190cd699631d16521dfb588b2571a3<\/li>\n\n\n\n
    • 270c3859591599642bd15167765246e3<\/li>\n<\/ul>\n\n\n\n

      Sha1<\/h3>\n\n\n\n
        \n
      • e227a8a338166dc97e360ca9cddda5e007079c58<\/li>\n\n\n\n
      • 3fd7b142d7e0dc0ae8350197585c2d0744027c1c<\/li>\n\n\n\n
      • 546a86929e82babd0ee6f970d7729e3bf6a14698<\/li>\n<\/ul>\n\n\n\n

        Sha256<\/h3>\n\n\n\n
          \n
        • 99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6 <\/li>\n\n\n\n
        • e746a6d562555f4d2f840727c9a9f8967dddcf100bd8d5f48a6209b76dd43375 <\/li>\n\n\n\n
        • fe62ee36d2ee6bedf3181beb5880115696396a51fe65870ade1a0af60a22f128 <\/li>\n\n\n\n
        • dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019<\/li>\n<\/ul>\n\n\n\n

          Domains<\/h3>\n\n\n\n
            \n
          • anithedtatione[.]ru<\/li>\n\n\n\n
          • falan4zadron[.]ru<\/li>\n\n\n\n
          • pospvisis[.]com<\/li>\n\n\n\n
          • bahujansangam[.]org<\/li>\n\n\n\n
          • feedproxy[.]google[.]com<\/li>\n\n\n\n
          • wiltuslads[.]ru<\/li>\n\n\n\n
          • feedproxy[.]google[.]com<\/li>\n\n\n\n
          • feedproxy[.]google[.]com<\/li>\n\n\n\n
          • thervidolown[.]com<\/li>\n\n\n\n
          • feedproxy[.]google[.]com<\/li>\n<\/ul>\n\n\n\n

            URL<\/h3>\n\n\n\n
              \n
            • hxxp:\/\/anithedtatione[.]ru\/8\/forum[.]php<\/li>\n\n\n\n
            • hxxp:\/\/falan4zadron[.]ru\/7hsjfd9w4refsd[.]exe<\/li>\n\n\n\n
            • hxxp:\/\/pospvisis[.]com<\/li>\n\n\n\n
            • hxxps:\/\/bahujansangam[.]org\/insaneity[.]php<\/li>\n\n\n\n
            • hxxp:\/\/feedproxy[.]google[.]com\/~r\/niqab\/~3\/SvG763Rcjf8\/contagion[.]php<\/li>\n\n\n\n
            • hxxp:\/\/wiltuslads[.]ru\/8\/forum[.]php<\/li>\n\n\n\n
            • hxxp:\/\/feedproxy[.]google[.]com\/~r\/ddebvhnpl\/~3\/r564Ba1JvaM\/haggle[.]php<\/li>\n\n\n\n
            • hxxp:\/\/feedproxy[.]google[.]com\/~r\/hvkrnawm\/~3\/A_mGDDju4y8\/insaneity[.]php<\/li>\n\n\n\n
            • hxxp:\/\/thervidolown[.]com\/8\/forum[.]php<\/li>\n\n\n\n
            • hxxp:\/\/feedproxy[.]google[.]com\/~r\/xrhjqrnh\/~3\/QrS209hUWag\/hoping[.]php<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

              Over the last week (26th of July 2021), CERT-AGID observed a malspam campaign whose intent was to spread the FickerStealer malware via the Hancitor loader to steal the credentials present on the victim’s machine. The emails, themed “Pagamenti“, contained an attached Word or Excel document, within which macros were recorded for downloading and executing the […]<\/p>\n","protected":false},"author":12,"featured_media":8382,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[2728,213],"class_list":["post-7099","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-news","tag-fickerstealer","tag-malware-analysis"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=7099"}],"version-history":[{"count":4,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7099\/revisions"}],"predecessor-version":[{"id":8383,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/7099\/revisions\/8383"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/8382"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=7099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=7099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=7099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}