<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Minerva Vs FickerStealer

FickerStealer is a MaaS (Malware as a Service) stealer that is sold on hacking forums. Its main goal is to steal sensitive information cached by the user - specifically browser passwords -  and send it back to the virus’ owner. In Minerva’s lab environment we even saw Ficker downloading Kronos RAT, making this threat more dangerous than it initially seems.

The packer employed by this particular sample is the same one that was used by a SmokeLoader sample detailed in this great blog. As detailed in the article, the malware will decrypt the final payload in-memory and then spawn another instance of itself, which will be injected with the decrypted payload.

The icon used by the packer, shared by both SmokeLoader and FickerStealer:

A unique evasive technique observed in the sample is the creation of multiple mutexes in a loop to confuse analysts, thus complicating the process of determining the infection marker used by the malware.

The following mutexes are created:

  • hrth 
  • o;jtfytyjftyjftyjftyj;ijo; 
  • ijlhlkwaftyjftyjftjftyh;joi;i 
  • ah;waeh;jftyjftyjfiftfdgaf 
  • hotyjftyj;afdh 
  • whftyjftyjftyjtfyjtfyjtfyj;ijo;h 
  • whoareyoutellmeandilltellwhoyou 

Only the latter affects the malware’s execution flow, as its existence will cause the malware to terminate.

Another interesting feature of FickerStealer, it will not execute on computers with certain locales, a common behavior in Russian developed malware who want to avoid government attention by not infecting domestically. The malware uses the function GetUserDefaultLocaleName to determine the locale of the computer, and will not execute if the following country codes are found:

ru-RU

Russia

uz-UZ

Uzbekistan

ua-UA

Ukraine

hy-AM

Armenia

kk-KZ

Kazakhstan

az-AZ

Azerbaijan

be-BY

Belarus

 

The locale API call:

The malware uses the service ipify.org to get the external IP address of the device it is infecting, using the function URLDownloadToFile it downloads this information from the web service and saves it to the file C:\ProgramData\kaosdma.txt.

Minerva prevents FickerStealer with our Memory Injection Prevention module:

IOCs:

Hashes:

1b0d0f003df8be87a301f86b808fec6dde0a17e408c7ffc2a40a66e11e949f50 (packed FickerStealer)

14f74dc3f634c5e7a4cfd2976bf131c70ec75a22ca1fc38cac4c15972f6007fd (unpacked FickerStealer)

4f76b649cf7d0b4e22a7b42f19740bc3f28393acbf0c5d5abdbc82c8afbc0593 (Kronos binary)

Files:

C:\ProgramData\kaosdma.txt

DNS:

mobilesuit[.]top:80

Mutexes:

hrth 

o;jtfytyjftyjftyjftyj;ijo; 

ijlhlkwaftyjftyjftjftyh;joi;i 

ah;waeh;jftyjftyjfiftfdgaf 

hotyjftyj;afdh 

whftyjftyjftyjtfyjtfyjtfyj;ijo;h 

whoareyoutellmeandilltellwhoyou 



Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.

Topics

see all

Interested in Minerva? Request a Demo Below