Malware/Ransomware/Spyware/Threat details

Name:                         Ficker Infostealer Malware

Description:               FickerStealer is a family of information-stealing malware that emerged in 2020. Ficker info stealer is written in Rust and it is distributed with inbuilt capabilities including stealing sensitive information such as passwords, web browser passwords, cryptocurrency wallets, FTP client information, credentials stored by Windows Credential Manager and session information from various chat and email clients. Unlike earlier days when Ficker was distributed over Trojanized web links and compromised websites through which victims accidentally download the payload, the Current infection has been stealthy and deployed with the help of known malware downloader, Hancitor. Another interesting feature of the Ficker malware is that it decrypts the stolen data server-side rather than “victim-side”, that allows a great control over who is allowed to use the malware.

Reference URL:         

  • https://attack.mitre.org/
  • https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware

ATT&CK STRETEGIES

T1001 – Data Obfuscation, T1071 – Application Layer Protocol, T1503 – Credentials from Web Browsers, T1081 – Credentials in Files, T1586.002 – Email Accounts, T1057 – Process Discovery

IOCs URL/DOMAIN/HASH VALUE:

pirocont70l.ru

min0sra.ru

functionalrejh.com

4a5ikol.ru

IP ADDRES TO SEARCH SPECIFIC

HASK VALUE TO BLOCK

YARA RULES

The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:

import “pe” rule Mal_Infostealer_Win32_Ficker_Stealer
{
  meta:
    description = “Yara rule to detect Ficker Stealer”
    author = “Blackberry Threat Research Team”
    date = “04-08-2021”   strings:
    $x1 = “kindmessage”
    $x2 = “SomeNone”
    $x3 = “.Kind”   condition:
    //PE File
    uint16(0) == 0x5A4D and     // Must have the following sections in the following order
    pe.section_index(“.text”) == 0 and
    pe.section_index(“.data”) == 1 and
    pe.section_index(“.rdata”) == 2 and
    pe.section_index(“/4”) == 3 and
    pe.section_index(“.bss”) == 4 and
    pe.section_index(“.idata”) == 5 and
    pe.section_index(“.CRT”) == 6 and
    pe.section_index(“.tls”) == 7 and     // Must be less than
    filesize < 300KB and     //One of $x
    (2 of ($x*)) }