Legit ads in order are used to lure you in 

The attack was discovered by cybersecurity firm ESET who issued a warning recently on Twitter to be on the lookout for the malicious campaign.

This one is a bit different in terms of methodology. Hackers most commonly employ emails utilizing various social engineering tricks in an attempt to lure unsuspecting recipients into clicking malicious links or downloading poisoned files.

 

Microsoft Store ad used

In this instance, however, the hackers are boldly advertising, impersonating legitimate online destinations like Spotify or the Microsoft store. For example, one of the advertisements used in this attack promotes an online Chess application, as shown below.

 

Malicious advertisement promoting a fake Chess app
Malicious advertisement promoting a fake Chess app

 

However, when users click on the ad, they are brought to a fake Microsoft Store page for a fake 'xChess 3' online chess application, which is automatically downloaded from an Amazon AWS server.

If anyone clicks on the link, they are taken to what appears to be a page on the Microsoft store, promising the software mentioned in the ad.

Anyone clicking to install the chess program will have the FickerStealer malware installed on their system instead. This malware is a Trojan released on Russian hacking forums in January of this year (2021). It was designed to steal a wide range of user data, including the capability to pilfer cryptocurrency from a variety of supposedly secure cryptocurrency wallets.

Other advertisements from this malware campaign pretend to be for Spotify (shown below) or an online document converter. When visited, their landing pages will also automatically download a zip file containing the Ficker malware.

Fake Spotify landing page
Fake Spotify landing page

Once a user unzips the file and launches the executable, instead of being greeted by a new online Chess application or the Spotify software, the Ficker malware will run and begin stealing the data stored on their computer.

All stolen data is zipped for compression and periodically exfiltrated to a command and control server run by the hackers. Even worse, the developers behind this particular malware strain posted it on the hacker forums in a bid to gin up customers, as their goal has been, from the start, to rent their code out to anyone who wants to make use of it.

 

What is the Ficker malware

Ficker is an information-stealing Trojan released on Russian-speaking hacker forums in January when the developer began renting out the malware to other threat actors.

Using this malware, threat actors can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients.

In addition to stealing passwords, the developer claims the malware can steal over fifteen cryptocurrency wallets, steal documents, and take screenshots of the active applications running on victims' computers.

This information is then compiled into a zip file and transmitted back to the attacker, where they can then extract the data and use it for other malicious activities.

Given that, you can bet that we'll be hearing a great deal more about FickerStealer in the weeks and months ahead, as an increasing number of hackers take the developers up on their offer and begin deploying it in a growing number of campaigns.

The only real defense against this kind of campaign is to instruct your users not to click on any advertisements. If they want an app, or to sign up for services like Spotify, rather than clicking ads, have them type the URL in manually.

 

My perspective

Due to the Ficker malware's extensive functionality, victims of this campaign should immediately change their online passwords, check firewalls for suspicious port forwarding rules, and perform a thorough antivirus scan of your computer to check for additional malware. Make sure your people are all aware of the new threat and stay safe out there.

 

As Hill Street Blues' Sgt. Esterhaus always advised... "Hey, let's be careful out there!"

 


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work@home, and cybersecurity. I work extensively with business and professional associations to provide small business technology education programs.

 

Contact me if you would like me to speak to your association