June 20, 2024 By Pierluigi Paganini
A new Rust malware called Fickle Stealer spreads through various attack methods and steals sensitive information.
Fortinet FortiGuard Labs researchers detected a new Rust-based information stealer called Fickle Stealer which spread through multiple attack vectors.
The malware has an intricate code and relies on multiple strategies for its distribution, including VBA dropper, VBA downloader, link downloader, and executable downloader.
Attackers typically download a PowerShell script (u.ps1 or bypass.ps1) to perform initial setup tasks. In some cases, attackers used an additional file to download the PowerShell script.
The main objective of the PowerShell script is to bypass User Account Control (UAC) and execute the Fickle Stealer malware. The script also sets up a task to run another script, engine.ps1, after 15 minutes. The script places a genuine and a fake WmiMgmt.msc file in the system directories to bypass UAC. The fake file abuses an ActiveX control to open a web browser with a local URL that serves a page for downloading and executing Fickle Stealer. This method leverages the Mock Trusted Directories technique to execute with elevated privileges without triggering a UAC prompt.