BLACKBERRY LIMITED - Share on Twitter
- Share on Facebook
- Share on Linked In
Ficker is a malicious information-stealer that is sold and distributed on underground Russian online forums by a threat actor using the alias @ficker. This Malware-as-a-Service (MaaS) was first uncovered in the wild in mid-2020.
Ficker has been previously distributed via Trojanized web links and compromised websites. For example, it could direct victims to pages purportedly offering free downloads of legitimate paid services like Spotify and YouTube Premium. It has also recently been deployed via the known malware downloader, Hancitor.
Notably written in Rust, Ficker has several targets for its information stealing, including web browsers, credit card information, crypto-wallets, FTP clients and other applications. Along with anti-analysis checks, the malware can also deploy further functionality and download additional malware once a system is successfully compromised.
Operating SystemThe creator of the malware is frequently active on the forums related to the malware, as seen in the image below:
Figure 2: Translated 'update log' from malware author
Since its introduction last year, Ficker has been deployed in a wide variety of ways. This is likely due to multiple threat actors using the malware differently in smaller individual campaigns.
In its early days, Ficker victims had mostly downloaded and executed the threat accidentally after visiting compromised websites or inadvertently clicking on malicious web links. Threat actors will often create fake ads for legitimate and popular services to lure unsuspecting users into visiting or clicking on Trojanized material.
For example, Ficker has previously been hosted on lure pages masquerading as a 'Microsoft® Store' webpage, to entice users to download malicious applications while lulling them into a false sense of security.
HancitorIn recent months, Ficker has been deployed and dropped by the known malware family Hancitor. Hancitor's attack chain often begins with the threat actor sending out fake DocuSign malspam emails, which results in a victim unknowingly downloading a Trojanized Microsoft® Word document, thinking they are getting a real DocuSign doc.
Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will often reach out to its command and control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download, as seen below:
Figure 3: Example of Hancitor downloading Ficker infostealer
Depending on the commands the Hancitor C2 sends, Ficker is often injected into an instance of svchost.exe on a victim's machine, as seen below. It does this to further avoid detection and hide the activity of this malicious executable.
Figure 4: Process Flow of Ficker via Hancitor initial infection
Anti-Analysis and Initial ChecksWhen analyzing the file statically, we found that Ficker is heavily obfuscated. It also contains multiple anti-analysis checks, which are meant to thwart analysis and prevent the malware from executing in virtualized environments.
The malware author has also included checks so that the malware will not execute if it is running in selected countries, which is likely intended to protect the threat actors who tend to purchase such malware. Ficker achieves this by checking the keyboard layout of the victim's machine. If their keyboard layout is related to one of these nations, the malware will terminate:
Keyboard Layout | Country |
ru-RU | Russia |
be-BY | Belarus |
Uz-UZ | Uzbekistan |
hy-AM | Armenia |
kk-KZ | Kazakhstan |
az-AZ | Azerbaijan |
To do this, Ficker will reach out to the web API at api[.]ipify[.]org. This is a public IP address web API used by the malware to gather the external IP address of the victim's device. The threat likely uses this as another anti-virtualized environment check, as the malware will not reach out to its C2 infrastructure if it doesn't get a successful response to this API call.
Once the victim's IP address is obtained, the malware will attempt to reach out to its C2 server. If a response is sent successfully, the malware will receive its configuration commands to perform its desired actions. If the malware cannot obtain such information from this API call, it will wait until an Internet connection is re-established before reaching out to its C2.
Stolen DataUnlike traditional information stealers, Ficker does not write its stolen data to disk. Traditional infostealer families will often store a local copy of the data it intends to steal, and then exfiltrate it after a set period of time. Instead, Ficker loops through its instructions and sends its information directly to the operator of the malware.
The malware author has designed Ficker to have another unique feature: decrypting stolen data server-side rather than 'victim-side.' This is likely done to avoid detection, but it also gives Ficker's creator greater control over who is allowed to use their malware.
When sending stolen data, Ficker will initially encrypt it using an XOR rotation. During analysis, it appears that the same XOR key (0x0A) is used across all samples.
Depending on its commands, Ficker will attempt to exfiltrate the following information:
-
Chromium web browsers
- Saved login credentials
- Cookies
- Auto-compete history
-
Mozilla-based web-browsers.
- Saved login credentials
- Cookies
- Auto-complete history
- Credit card information
- Cryptocurrency wallets
- FileZilla FTP client
- WinScp FTP client
- Discord login
- Steam accounts
- Pidgin accounts
- Thunderbird accounts
The malware will also gather system information, as shown below:
Figure 5: Decoded system information sent by Ficker to its C2
The malware also has screen-grab abilities, which allow the malware's operator to remotely capture an image of the victim's screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established, as shown below. This enables further stages of exploitation on a victim's device.
Figure 6: Example of Ficker dashboard
Once information is sent back to Ficker's C2, the malware operator can access and search for all exfiltrated data.
The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:
import 'pe'
rule Mal_Infostealer_Win32_Ficker_Stealer
strings:
condition:
// Must have the following sections in the following order
// Must be less than
//One of $x } |
Operating System: Windows Mutex
Network Communication Ficker Download IOC:
|
If you're battling Ficker malware or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
- Share on Twitter
- Share on Facebook
- Share on Linked In
Attachments
- Original document
- Permalink
Disclaimer
BlackBerry Ltd. published this content on 12 August 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 August 2021 15:31:12 UTC.
