New InfoStealer malware, Ficker targeting Windows has surfaced through a Russian underground forum

August 17, 2021
Russian Underground Forum Ficker Malware InfoStealer

Recently, a new malware in the form of a Malware-as-a-Service or MaaS has been discovered by cybercrime researchers produced mainly to attack Windows. The malware is called Ficker – an info-stealer of which is distributed through Russian underground forums. In addition to this, the Russian underground forums have been suddenly surfacing many users in an @ficker profile alias, seemingly connected to the recent dispersal of this new malware. 

Written from a programming language, Rust, the Ficker malware is produced with built-in skills to effectively practice stealing information from many cyber avenues such as web browser data, cryptocurrency wallets, FTP clients, credit card credentials, and many other applications. It is also equipped to damage, accumulate, and analyze stolen data from its victim as offered by the threat actor to its buyer. 


Ficker Malware Infecting Process 

The new way of Ficker’s infecting process is through the help of a popular malware downloader called Hancitor, wherein its deployment is considered stealthy in contrast to how the malware was distributed back then. Previously, Ficker malware is dispersed through exploited web links and sites injected with the Trojan virus. 

To begin Ficker’s infecting process, threat actors mainly start through disseminating phishing spam emails toward target victims. Enclosed to these emails is a Microsoft® Word document file that is infected with the malware. The document will pose as a legitimate MS Word file to deceive victims into launching it. 

To protect the malware from suspecting victims and cyber authorities, threat actors have had it heavily disguised and programmed to deploy numerous analysis checks to prevent victims or authorities from running it via a virtual environment. Moreover, an execution feature was set for the malware, so it could not work when operated from selected countries such as Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan. 


Ficker Data Stealing Process 

The route of which Ficker takes about its data-stealing process is through the instructions ordered by the malware author, and then all of its stolen data will be directly sent to the operator. This process is different from other traditional information-stealing malware do – wherein it collects files from a disk. It then creates a local copy for the collected data to be exfiltrated through a command-and-control or C2 server. 

The malware authors have also designed a unique feature for Ficker wherein it can decrypt all stolen information towards the server rather than towards the victim. This feature allows them to be in complete control of the malware. 

Listed below are all the information that the Ficker Malware is capable of stealing: 

  • Auto-complete browsing history 
  • Chromium-based web browsers 
  • Cookies 
  • Credit card credentials 
  • Cryptocurrency wallets 
  • Discord login information 
  • FileZilla FTP client 
  • Mozilla-based web browsers 
  • Pidgin accounts information 
  • Steam accounts information 
  • Saved login credentials
  • Thunderbird accounts information 
  • WinSCP FTP client 


The last step of the stealing process is by sending the information acquired back to the Ficker malware’s C2 server so that the malware author can successfully access the stolen data. 

About the author

Leave a Reply