A newly discovered Rust-based malware dubbed Fickle Stealer has various malicious capabilities that could steal data from compromised users.
Based on reports, this latest infostealer can harvest sensitive information from hacked systems, such as personal passwords, browsing histories, and crypto wallet data. Moreover, this malware spreads through different attack vectors, such as phishing, drive-by downloads, exploit kits, and social engineering.
Fickle Stealer first appeared in May 2024, disguised as a GitHub Desktop for Windows.
The Fickle Stealer malware poses as legitimate software, such as GitHub Desktop for Windows, with a digital signature that falsely purports to be from GitHub Inc. It also has a countersign from the Microsoft Public RSA Time Stamping Authority to increase its legitimacy.
In addition, the malware has a multi-staged attack procedure that requires various preparation measures to avoid detection and acquire control. Upon execution, it uses a PowerShell script to bypass User Account Control (UAC) and connect to a C2 server.
The researchers noted that the malware uses proprietary packers and obfuscation tactics that complicate typical detection and analysis approaches. The malware also employs analysis techniques to escape sandbox environments and debugging tools, allowing it to bypass detection while silently harvesting data in the compromised devices’ background.
Furthermore, Fickle Stealer runs a PowerShell script called bypass.ps1 or u.ps1, which, once installed, sends sensitive data to the attacker via a Telegram bot. These parameters include the victim’s country, IP address, and OS.
The PowerShell command detected during analysis runs hidden, with commands such as cmd /c powershell.exe passing data from the target system back to an attacker-controlled C2 server. The malware’s layered structure also contains an additional script which looks for executables on the infected machine to inject more malicious codes.
One sample of these additional codes is a secondary script that injects shell code to establish the malware’s persistence. The infected file paths are then base64 encoded and preserved to avoid duplicate injections.
Users should avoid downloading applications, especially those from unknown or suspicious sources. Companies should use up-to-date security policies and conduct frequent access control reviews to limit the risk of the newly discovered Fickle Stealer malware.