FickerStealer is a MaaS (Malware as a Service) stealer that is sold on hacking forums. Its main goal is to steal sensitive information cached by the user – specifically browser passwords –  and send it back to the virus’ owner. In Minerva’s lab environment we even saw Ficker downloading Kronos RAT, making this threat more dangerous than it initially seems.

The packer employed by this particular sample is the same one that was used by a SmokeLoader sample detailed in this great blog. As detailed in the article, the malware will decrypt the final payload in-memory and then spawn another instance of itself, which will be injected with the decrypted payload.

The icon used by the packer, shared by both SmokeLoader and FickerStealer:

A unique evasive technique observed in the sample is the creation of multiple mutexes in a loop to confuse analysts, thus complicating the process of determining the infection marker used by the malware.

The following mutexes are created:

  • hrth
  • o;jtfytyjftyjftyjftyj;ijo;
  • ijlhlkwaftyjftyjftjftyh;joi;i
  • ah;waeh;jftyjftyjfiftfdgaf
  • hotyjftyj;afdh
  • whftyjftyjftyjtfyjtfyjtfyj;ijo;h
  • whoareyoutellmeandilltellwhoyou

Only the latter affects the malware’s execution flow, as its existence will cause the malware to terminate.

Another interesting feature of FickerStealer, it will not execute on computers with certain locales, a common behavior in Russian developed malware who want to avoid government attention by not infecting domestically. The malware uses the function GetUserDefaultLocaleName to determine the locale of the computer, and will not execute if the following country codes are found:

ru-RURussia
uz-UZUzbekistan
ua-UAUkraine
hy-AMArmenia
kk-KZKazakhstan
az-AZAzerbaijan
be-BYBelarus

 

The locale API call:

The malware uses the service ipify.org to get the external IP address of the device it is infecting, using the function URLDownloadToFile it downloads this information from the web service and saves it to the file C:\ProgramData\kaosdma.txt.

Minerva prevents FickerStealer with our Memory Injection Prevention module:

IOCs:

Hashes:

1b0d0f003df8be87a301f86b808fec6dde0a17e408c7ffc2a40a66e11e949f50 (packed FickerStealer)

14f74dc3f634c5e7a4cfd2976bf131c70ec75a22ca1fc38cac4c15972f6007fd (unpacked FickerStealer)

4f76b649cf7d0b4e22a7b42f19740bc3f28393acbf0c5d5abdbc82c8afbc0593 (Kronos binary)

Files:

C:\ProgramData\kaosdma.txt

DNS:

mobilesuit[.]top:80

Mutexes:

hrth

o;jtfytyjftyjftyjftyj;ijo;

ijlhlkwaftyjftyjftjftyh;joi;i

ah;waeh;jftyjftyjfiftfdgaf

hotyjftyj;afdh

whftyjftyjftyjtfyjtfyjtfyj;ijo;h

whoareyoutellmeandilltellwhoyou