Dissecting the Multi-Stage Distribution of Fickle Stealer Malware

Distribution of a Rust-based stealer was identified in May 2024, named Fickle Stealer malware, with the intended goal of harvesting sensitive information, as unveiled by Fortinet researcher Pei Han Liao. A complex delivery and execution framework aimed at data theft is analyzed. The malware employs multiple delivery vectors, including VBA droppers, downloaders, link-based methods, and executable files, most of which utilize PowerShell scripts for initial deployment. The VBA dropper method embeds a script within a Word document to execute a JScript with wscript. The VBA downloader employs three distinct methods within Word documents for delivering malware. The first method directly fetches a PowerShell script named 'u.ps1' utilizing a PowerShell command that bypasses execution policy restrictions. The second method leverages 'forfiles.exe' to execute a batch file named 'runOnce.bat', which in turn runs 'u.ps1' with PowerShell. The third variant embeds an MSHTML file within a Word document, using a web browser control. This file is loaded when macros are enabled and contains commands that are subsequently executed to download and run a PowerShell script. The link downloader uses a LNK file to command PowerShell to execute a hidden, policy-bypassed script (bypass.ps1) directly. Meanwhile, the executable downloader, disguised as a PDF viewer, employs forfiles.exe to execute a batch script (runOnce.bat) that triggers PowerShell to run the remotely hosted u.ps1.

These initial delivery mechanisms set the stage for described preparatory actions by Fortinet, where PowerShell scripts like bypass.ps1 and u.ps1 prepare the attack environment. These scripts are designed to bypass User Account Control, leveraging the Mock Trusted Directories Method to execute a fake WmiMgmt.msc from a path that appears legitimate due to manipulated string handling in Windows. By creating a trailing space in the directory path and exploiting the MMC's search for local languages, the fake MSC file is treated as if it’s from a trusted directory. Consequently, it is executed with elevated privileges without prompting for UAC, allowing the attacker to run the Fickle Stealer malware unprompted. The subsequent scripts, engine.ps1 and inject.ps1, are responsible for ensuring persistence and preparing the system for the final payload by injecting shell code into executable files found on the host system. Persistence was established through a scheduled task that would run the script which would use Powershell commands to create new registry entries. Exclusions were added to Windows Defender from the PowerShell script for executables and file with the .pln extension.

The final phase of the Fickle Stealer attack deploys a payload that employs a packer appearing as a legitimate application. The stealer includes various anti-analysis checks, such as querying process names, debugging tools, virtual machine configurations via WMI - 'Get-WmiObject', and checking hardware IDs to detect and evade analytical environments. The malware targets a vast array of data, from cryptowallets to system credentials and sensitive documents, sending them to a command-and-control server. Additionally, Fickle Stealer utilizes a timeout command in its cleanup process, ensuring all malicious processes cease before its deletion.