A sophisticated new malware called Fickle Stealer has emerged, employing multiple distribution methods and advanced targeting capabilities. The threat, written in Rust programming language, was discovered by security researchers in May 2024.
Attack Chain Overview
The malware spreads through four main delivery mechanisms:
- VBA dropper embedded in Word documents
- VBA downloader using Word files
- Direct link downloads
- Executable files masquerading as PDF viewers
After initial infection, Fickle Stealer performs preparatory work including User Account Control (UAC) bypass and system checks before deploying its payload.
Advanced Evasion Techniques
The malware employs multiple methods to avoid detection:
- Checks for debugging tools and analysis environments
- Verifies hardware IDs against known sandbox configurations
- Monitors for virtual machine indicators
- Scans for security research usernames and processes
Data Theft Capabilities
Once active, Fickle Stealer targets sensitive information including:
- Cryptocurrency wallets
- Browser data (passwords, cookies, history)
- Authentication plugins
- Gaming platform credentials
- Communication apps (Telegram, Signal, etc.)
- Documents with specific extensions (.pdf, .doc, .txt)
The stolen data is formatted in JSON, compressed, and exfiltrated to command servers.
Flexible Targeting
A key feature is the malware's ability to receive updated target lists from its controllers. This allows attackers to dynamically adjust what data and applications are targeted on infected systems.
Self-Protection
The malware uses sophisticated packing techniques and mimics legitimate applications to avoid detection. It also employs self-deletion after completing data theft to remove evidence of compromise.
Security researchers note that Fickle Stealer continues to evolve, with new variants and attack chains being observed in the wild.