Threat actors are using the Malware-as-a-Service (MaaS) model to attack Windows users, according to researchers. The new info-stealer malware “Ficker” was discovered and is being disseminated via a Russian underground forum by threat actors. FickerStealer is a family of data-stealing malware that first appeared in the year 2020. It can steal sensitive data such as passwords, online browser passwords, cryptocurrency wallets, FTP client information, Windows Credential Manager information, and session information from various chat and email clients.
Unlike in the past, when Ficker was spread via Trojanized web links and hacked websites, causing victims to unintentionally download the payload, the current outbreak is stealthy and uses the well-known malware downloader Hancitor to spread.
Hancitor (also known as Chanitor) malware first appeared in the wild in 2013, relying on social engineering techniques such as posing as DocuSign, a genuine document signing service. This malware tricked users into allowing its harmful macro code to run, allowing it to infect the victim's computer. Hancitor will attempt to download a wide range of additional harmful components after connecting to its command-and-control (C2) infrastructure, depending on its operators' most recent malicious campaign.
The attack begins with the attackers sending malicious spam emails with a weaponized Microsoft Word document attached, which is fully phoney yet masquerades as the real thing. Spam email content entices victims to open it, resulting in the execution of malicious macro code that allows Hancitor to communicate with the command and control server and get a malicious URL containing a Ficker sample.
It employs the evasion approach to avoid detection by injecting Ficker into an instance of svchost.exe on the victim's PC and concealing its activity. Threat actors routinely utilize svchost.exe to hide malware in the system process and avoid detection by typical antivirus software.
Researchers also discovered that Ficker is heavily obfuscated, preventing it to execute in a virtual environment by employing multiple analysis checks. Malware authors also included an execution feature in the malware, preventing it from being executed in certain countries such as Russia, Uzbekistan, Belarus, Armenia, Kazakhstan, and Azerbaijan.
According to the Blackberry report, “The malware also has screen-grab abilities, which allow the malware’s operator to remotely capture an image of the victim’s screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established.”