SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fickerstealer (Back to overview)

Ficker Stealer


According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

References
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-08-12BlackberryBlackBerry Research & Intelligence Team
@online{team:20210812:threat:254ba6c, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Ficker Infostealer Malware}}, date = {2021-08-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware}, language = {English}, urldate = {2021-08-17} } Threat Thursday: Ficker Infostealer Malware
Ficker Stealer
2021-07-19CyberArkBen Cohen
@online{cohen:20210719:fickerstealer:6d57700, author = {Ben Cohen}, title = {{FickerStealer: A New Rust Player in the Market}}, date = {2021-07-19}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market}, language = {English}, urldate = {2021-07-26} } FickerStealer: A New Rust Player in the Market
Ficker Stealer
2021-06-17Binary DefenseBrandon George
@online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-20Bleeping ComputerLawrence Abrams
@online{abrams:20210420:fake:fca82a4, author = {Lawrence Abrams}, title = {{Fake Microsoft Store, Spotify sites spread info-stealing malware}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/}, language = {English}, urldate = {2021-06-16} } Fake Microsoft Store, Spotify sites spread info-stealing malware
Ficker Stealer
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-10-27Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20201027:ficker:b890340, author = {3xp0rt}, title = {{Tweet on Ficker Stealer}}, date = {2020-10-27}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1321209656774135810}, language = {English}, urldate = {2021-12-17} } Tweet on Ficker Stealer
Ficker Stealer
Yara Rules
[TLP:WHITE] win_fickerstealer_auto (20230715 | Detects win.fickerstealer.)
rule win_fickerstealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.fickerstealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bb80000000 899568fdffff 898d58fdffff 8937 8db184000000 894704 895f08 }
            // n = 7, score = 200
            //   bb80000000           | mov                 ebx, 0x80
            //   899568fdffff         | mov                 dword ptr [ebp - 0x298], edx
            //   898d58fdffff         | mov                 dword ptr [ebp - 0x2a8], ecx
            //   8937                 | mov                 dword ptr [edi], esi
            //   8db184000000         | lea                 esi, [ecx + 0x84]
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   895f08               | mov                 dword ptr [edi + 8], ebx

        $sequence_1 = { f20f114808 f20f1100 8d4dd4 6a03 58 50 e8???????? }
            // n = 7, score = 200
            //   f20f114808           | movsd               qword ptr [eax + 8], xmm1
            //   f20f1100             | movsd               qword ptr [eax], xmm0
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   6a03                 | push                3
            //   58                   | pop                 eax
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { ff7508 e8???????? 83c410 5d c3 0f0b 0f0b }
            // n = 7, score = 200
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   0f0b                 | ud2                 
            //   0f0b                 | ud2                 

        $sequence_3 = { b33f b780 80cae0 8810 89ca 20d9 c1ea06 }
            // n = 7, score = 200
            //   b33f                 | mov                 bl, 0x3f
            //   b780                 | mov                 bh, 0x80
            //   80cae0               | or                  dl, 0xe0
            //   8810                 | mov                 byte ptr [eax], dl
            //   89ca                 | mov                 edx, ecx
            //   20d9                 | and                 cl, bl
            //   c1ea06               | shr                 edx, 6

        $sequence_4 = { f3a5 8db550feffff 8dbdd0feffff 89f1 89fa 53 e8???????? }
            // n = 7, score = 200
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8db550feffff         | lea                 esi, [ebp - 0x1b0]
            //   8dbdd0feffff         | lea                 edi, [ebp - 0x130]
            //   89f1                 | mov                 ecx, esi
            //   89fa                 | mov                 edx, edi
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_5 = { be00000000 897dd8 8b7ddc 0f43fe f6dd 89de 897ddc }
            // n = 7, score = 200
            //   be00000000           | mov                 esi, 0
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   0f43fe               | cmovae              edi, esi
            //   f6dd                 | neg                 ch
            //   89de                 | mov                 esi, ebx
            //   897ddc               | mov                 dword ptr [ebp - 0x24], edi

        $sequence_6 = { 6801010000 6a00 50 6802000080 e8???????? 89f9 89c3 }
            // n = 7, score = 200
            //   6801010000           | push                0x101
            //   6a00                 | push                0
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   89f9                 | mov                 ecx, edi
            //   89c3                 | mov                 ebx, eax

        $sequence_7 = { e8???????? 89d9 e8???????? c7471001000000 f20f1045e8 f20f114610 f20f1045d8 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   c7471001000000       | mov                 dword ptr [edi + 0x10], 1
            //   f20f1045e8           | movsd               xmm0, qword ptr [ebp - 0x18]
            //   f20f114610           | movsd               qword ptr [esi + 0x10], xmm0
            //   f20f1045d8           | movsd               xmm0, qword ptr [ebp - 0x28]

        $sequence_8 = { 8b55e0 8b4de4 894a1c 0f845fffffff 83622400 8b4de4 c745dc00000000 }
            // n = 7, score = 200
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   894a1c               | mov                 dword ptr [edx + 0x1c], ecx
            //   0f845fffffff         | je                  0xffffff65
            //   83622400             | and                 dword ptr [edx + 0x24], 0
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   c745dc00000000       | mov                 dword ptr [ebp - 0x24], 0

        $sequence_9 = { 8948f8 684c020000 8d8c244c0b0000 51 50 e8???????? 83c40c }
            // n = 7, score = 200
            //   8948f8               | mov                 dword ptr [eax - 8], ecx
            //   684c020000           | push                0x24c
            //   8d8c244c0b0000       | lea                 ecx, [esp + 0xb4c]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

    condition:
        7 of them and filesize < 598016
}
[TLP:WHITE] win_fickerstealer_w0   (20210726 | Yara rule for Ficker Stealer)
rule win_fickerstealer_w0 {
  meta: 
    author = "Ben Cohen, CyberArk"
    date = "22-02-2021"
    version = "1.0"
    hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6"
    source = "https://github.com/cyberark/malware-research/blob/master/FickerStealer/Ficker_Stealer.yar"
    description = "Yara rule for Ficker Stealer"
    malpedia_rule_date = "20210726"
    malpedia_hash = ""
    malpedia_version = "20210726"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
  
  strings:
    //$decryption_pattern = { 89 ?? C1 ?? ?? 31 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? C1 ?? ?? 31 }
    $c2_const = { 0C 00 0F 0A [0-4] 0B 0A 0B 0A }

    $s1 = "kindmessage"
    $s2 = "SomeNone"
    $s3 = ".Kind"

  condition:
    //$decryption_pattern and
    $c2_const and
    (1 of ($s*)) and
    uint16(0) == 0x5A4D
}
Download all Yara Rules