SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fickerstealer (Back to overview)

Ficker Stealer


According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

References
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-08-12BlackberryBlackBerry Research & Intelligence Team
@online{team:20210812:threat:254ba6c, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Ficker Infostealer Malware}}, date = {2021-08-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware}, language = {English}, urldate = {2021-08-17} } Threat Thursday: Ficker Infostealer Malware
Ficker Stealer
2021-07-19CyberArkBen Cohen
@online{cohen:20210719:fickerstealer:6d57700, author = {Ben Cohen}, title = {{FickerStealer: A New Rust Player in the Market}}, date = {2021-07-19}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market}, language = {English}, urldate = {2021-07-26} } FickerStealer: A New Rust Player in the Market
Ficker Stealer
2021-06-17Binary DefenseBrandon George
@online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-20Bleeping ComputerLawrence Abrams
@online{abrams:20210420:fake:fca82a4, author = {Lawrence Abrams}, title = {{Fake Microsoft Store, Spotify sites spread info-stealing malware}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/}, language = {English}, urldate = {2021-06-16} } Fake Microsoft Store, Spotify sites spread info-stealing malware
Ficker Stealer
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-10-27Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20201027:ficker:b890340, author = {3xp0rt}, title = {{Tweet on Ficker Stealer}}, date = {2020-10-27}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1321209656774135810}, language = {English}, urldate = {2021-12-17} } Tweet on Ficker Stealer
Ficker Stealer
Yara Rules
[TLP:WHITE] win_fickerstealer_auto (20221125 | Detects win.fickerstealer.)
rule win_fickerstealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.fickerstealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8dbc24a0010000 8b72f8 89f9 e8???????? 8b3f 83ff02 7508 }
            // n = 7, score = 200
            //   8dbc24a0010000       | lea                 edi, [esp + 0x1a0]
            //   8b72f8               | mov                 esi, dword ptr [edx - 8]
            //   89f9                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   83ff02               | cmp                 edi, 2
            //   7508                 | jne                 0xa

        $sequence_1 = { 8d7de0 89f9 e8???????? 89f0 e9???????? 0f0b 0f0b }
            // n = 7, score = 200
            //   8d7de0               | lea                 edi, [ebp - 0x20]
            //   89f9                 | mov                 ecx, edi
            //   e8????????           |                     
            //   89f0                 | mov                 eax, esi
            //   e9????????           |                     
            //   0f0b                 | ud2                 
            //   0f0b                 | ud2                 

        $sequence_2 = { 8b45ec c6400402 8d4dc4 c70001000000 e8???????? 83c460 }
            // n = 6, score = 200
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c6400402             | mov                 byte ptr [eax + 4], 2
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]
            //   c70001000000         | mov                 dword ptr [eax], 1
            //   e8????????           |                     
            //   83c460               | add                 esp, 0x60

        $sequence_3 = { 50 51 52 ff751c ff7518 ff7514 ff7510 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff751c               | push                dword ptr [ebp + 0x1c]
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_4 = { eb06 d3ea 89d0 31d2 5d c3 55 }
            // n = 7, score = 200
            //   eb06                 | jmp                 8
            //   d3ea                 | shr                 edx, cl
            //   89d0                 | mov                 eax, edx
            //   31d2                 | xor                 edx, edx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_5 = { c3 8b44240c 8364242c00 c74424281c000000 8364242400 8364242000 8d742410 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8364242c00           | and                 dword ptr [esp + 0x2c], 0
            //   c74424281c000000     | mov                 dword ptr [esp + 0x28], 0x1c
            //   8364242400           | and                 dword ptr [esp + 0x24], 0
            //   8364242000           | and                 dword ptr [esp + 0x20], 0
            //   8d742410             | lea                 esi, [esp + 0x10]

        $sequence_6 = { e8???????? 59 5a 56 ffd0 eb19 89f1 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   eb19                 | jmp                 0x1b
            //   89f1                 | mov                 ecx, esi

        $sequence_7 = { e9???????? 8b5de4 ba???????? 31c9 b001 8955dc 89ca }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]
            //   ba????????           |                     
            //   31c9                 | xor                 ecx, ecx
            //   b001                 | mov                 al, 1
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   89ca                 | mov                 edx, ecx

        $sequence_8 = { c1e70e 09cf 84c9 7816 c1e607 89da b106 }
            // n = 7, score = 200
            //   c1e70e               | shl                 edi, 0xe
            //   09cf                 | or                  edi, ecx
            //   84c9                 | test                cl, cl
            //   7816                 | js                  0x18
            //   c1e607               | shl                 esi, 7
            //   89da                 | mov                 edx, ebx
            //   b106                 | mov                 cl, 6

        $sequence_9 = { b320 c745e400000000 0fadfa d3ef 84d9 b900000000 89fb }
            // n = 7, score = 200
            //   b320                 | mov                 bl, 0x20
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   0fadfa               | shrd                edx, edi, cl
            //   d3ef                 | shr                 edi, cl
            //   84d9                 | test                cl, bl
            //   b900000000           | mov                 ecx, 0
            //   89fb                 | mov                 ebx, edi

    condition:
        7 of them and filesize < 598016
}
[TLP:WHITE] win_fickerstealer_w0   (20210726 | Yara rule for Ficker Stealer)
rule win_fickerstealer_w0 {
  meta: 
    author = "Ben Cohen, CyberArk"
    date = "22-02-2021"
    version = "1.0"
    hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6"
    source = "https://github.com/cyberark/malware-research/blob/master/FickerStealer/Ficker_Stealer.yar"
    description = "Yara rule for Ficker Stealer"
    malpedia_rule_date = "20210726"
    malpedia_hash = ""
    malpedia_version = "20210726"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
  
  strings:
    //$decryption_pattern = { 89 ?? C1 ?? ?? 31 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? C1 ?? ?? 31 }
    $c2_const = { 0C 00 0F 0A [0-4] 0B 0A 0B 0A }

    $s1 = "kindmessage"
    $s2 = "SomeNone"
    $s3 = ".Kind"

  condition:
    //$decryption_pattern and
    $c2_const and
    (1 of ($s*)) and
    uint16(0) == 0x5A4D
}
Download all Yara Rules