Friday, June 28, 2024
Latest:
Malware
Crypto NewsCybersecurity NewsNews

Fortiguard Discover New Crypto Data Stealer Malware

Sampson Gideon

Loading

FortiGuard Labs discovered a sophisticated Rust-based Malware stealer, Fickle Stealer, targeted at cryptocurrency users . This malicious software employs various distribution strategies and possesses the capability to select its targets flexibly.

According to the firm, the malware list of targeted wallets includes AtomicWallet, Exodus, JaxxWallet, Electrum, ByteCoin, Ethereum, Guarda, Coinomi, Armory, and ZCash.

Additionally, certain Crypto user-friendly applications are also targeted by default, Files from specified folders are sent to the server. Typically, the tag consists of the application name in lowercase, followed by two colons. The default targets include Anydesk, Ubisoft (tag: play::), Steam, Skype, Signal, ICQ, Filezilla, Telegram, Tox, Pidgin, and Element.

According to the source, the malware attack is aimed at Delivery, Preparatory Work, and Packer and Stealer Payload. The main objective of this malware is to bypass User Account Control (UAC) and execute the Fickle Stealer. It also establishes a new task to execute engine.ps1 after a 15-minute delay.

Malware Counterfeit WmiMgmt.msc Steal Browser Data

To bypass UAC, the malware drops a copy of WmiMgmt.msc and a counterfeit version of WmiMgmt.msc at specific paths. Snap-ins provide the interface for the management task and access to the necessary program and data. The counterfeit WmiMgmt.msc exploits a Shockwave Flash Object from ActiveX control, which opens a web browser by default.

The URL for the web browser is set to localhost, and the script creates an HttpListener, which displays a web page when WmiMgmt.msc is executed. This web page contains a script configuring exclusions for Fickle Stealer and then downloading it for execution.

Upon sending a message, the script downloads tgmes.ps1 to the Temp folder with a random file name and executes it with the message as an argument. Afterwards, tgmes.ps1 is immediately deleted. This happens shortly after a message is sent.

Additionally, tgmes.ps1 sends victim information, including country, city, IP address, OS version, computer name, and user name, to the Telegram bot. The Fickle Stealer targets four main types of data: crypto wallets, plugins, file extensions, and partial paths. The server determines the targets and controls how the data is handled. When it comes to wallets, the malicious software sends files from specific folders and labels the data to be sent with a “wallet::” tag.