Rust-Based 'Fickle Stealer' Malware Bypasses UAC to Steal Crypto Wallets and Browser Data

Executive Summary

Security researchers have identified a new, multi-faceted information stealer named Fickle Stealer. This malware is notable for being written in the Rust programming language, a choice that aids in evasion due to its complex assembly output. Fickle Stealer is distributed through various means, including VBA droppers and link-based downloads. A key component of its attack chain is a PowerShell script used to bypass Windows User Account Control (UAC), allowing it to execute its main payload with elevated privileges. The malware is designed to steal a vast range of data, from cryptocurrency wallets and browser credentials to session data from popular applications. The exfiltrated data is sent to a Telegram bot, demonstrating a trend of threat actors abusing legitimate cloud services for C2 operations.

Threat Overview

Fickle Stealer represents a growing class of sophisticated info-stealers that are flexible and difficult to detect. The infection begins when a user interacts with a malicious dropper, which can be a macro-enabled document or a link to a malicious executable.

Upon execution, the malware's first major action is to run a PowerShell script (e.g., bypass.ps1) to perform a UAC bypass using T1548.002 - Bypass User Account Control. This allows the main stealer payload to run without triggering a security prompt for the user. The stealer component, which is protected by a packer, performs anti-analysis checks to ensure it's not in a sandbox. It then proceeds to harvest data from a wide array of targets on the victim's machine.

Technical Analysis

Fickle Stealer's attack chain is modular and effective:

Distribution: Uses multiple vectors including VBA droppers, VBA downloaders, and direct executable downloads.
Defense Evasion:
- UAC Bypass: Leverages a PowerShell script to elevate privileges without user interaction.
- Anti-Analysis: Checks for virtual machines, sandboxes, and debuggers before executing its main logic.
- Written in Rust: The choice of Rust makes manual reverse engineering more challenging compared to malware written in C/C++.
Data Collection: The stealer payload is comprehensive, targeting:
- Cryptocurrency Wallets: Scans for wallets such as AtomicWallet, Exodus, Electrum, Bitcoin, Ethereum, and ZCash (T1552.001 - Credentials In Files).
- Web Browsers: Steals cookies, passwords, and autofill data from Chromium-based (Chrome, Edge) and Gecko-based (Firefox) browsers (T1555.003 - Credentials from Web Browsers).
- Applications: Targets session and credential data from AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.
- File Grabbing: Can search for and exfiltrate specific file types (.txt, .pdf, .docx) based on a configuration received from its C2 server.
Command and Control & Exfiltration: Uses the Telegram Bot API for both C2 and data exfiltration (T1102.001 - Command and Control: Web Service). This allows it to blend in with legitimate network traffic, making it harder to block.

Impact Assessment

A successful infection by Fickle Stealer can lead to severe consequences for both individuals and organizations. The theft of credentials can result in:

Financial Loss: Direct theft of funds from cryptocurrency wallets.
Account Takeover: Compromise of email, social media, and other online accounts, leading to identity theft and further fraud.
Corporate Espionage: Theft of sensitive documents and communication data from applications like Signal and Telegram.
Further Compromise: Stolen credentials (e.g., from FileZilla or AnyDesk) can be used to gain deeper access into corporate networks, leading to a more significant breach.

The use of Telegram for exfiltration means that even if the initial infection is contained, the stolen data is already in the hands of the attacker.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for Fickle Stealer using the following clues:

PowerShell Execution: Monitor for PowerShell processes executing scripts with names like bypass.ps1 or u.ps1. Look for PowerShell commands that attempt to modify registry keys related to UAC or use reflective injection techniques.
Network Traffic: Look for outbound HTTPS connections to api.telegram.org. While this is a legitimate domain, traffic originating from unexpected processes or user workstations could be malicious.
File System Activity: Monitor for rapid file access to directories associated with cryptocurrency wallets (e.g., %APPDATA%\Exodus) or browser profiles.
Process Behavior: Look for processes that enumerate a large number of files and directories, then make a network connection, which could be indicative of the data staging and exfiltration process.

Detection & Response

PowerShell Logging: Enable advanced PowerShell logging (Script Block Logging and Module Logging) to capture the content of executed scripts. This will reveal UAC bypass attempts and other malicious activities. This is a form of D3FEND's Process Analysis.
EDR/XDR: Use an EDR solution to detect suspicious process chains, such as a Microsoft Office application spawning powershell.exe. The EDR should also be able to detect fileless attacks and UAC bypass techniques.
Network Egress Filtering: Block or alert on all outbound connections to the Telegram API (api.telegram.org) from corporate assets, unless there is a legitimate business need. This is a direct application of D3FEND's Outbound Traffic Filtering.
User and Entity Behavior Analytics (UEBA): UEBA platforms can help detect anomalous file access patterns or network connections that deviate from a user's normal baseline behavior.

Mitigation

Restrict PowerShell: If not required for administrative tasks, use AppLocker or other application control solutions to restrict or disable PowerShell execution for standard users (M1038 - Execution Prevention).
UAC Configuration: Set User Account Control to its highest setting ("Always notify"). While bypasses exist, this can prevent simpler techniques.
Email Security: Block macro-enabled documents from external sources at the email gateway.
Credential Protection: Encourage the use of hardware wallets for storing significant amounts of cryptocurrency. Use password managers with MFA to protect online accounts (M1032 - Multi-factor Authentication).
User Training: Educate users about the dangers of enabling macros in documents from untrusted sources (M1017 - User Training).

To specifically counter Fickle Stealer, security teams must implement robust process analysis via an EDR solution with advanced PowerShell logging. Enable PowerShell Script Block Logging (Event ID 4104) to capture the full content of scripts, which will expose the UAC bypass techniques used by bypass.ps1. Create detection rules that alert on suspicious process chains, particularly a Microsoft Office application spawning powershell.exe, which in turn attempts to modify the registry or perform reflective loading. Furthermore, monitor for processes that rapidly access sensitive user directories associated with browsers (%LOCALAPPDATA%\Google\Chrome\User Data) and crypto wallets (%APPDATA%\Exodus), followed by an outbound network connection. This sequence is a strong indicator of an info-stealer's collection and exfiltration behavior.

New 'Fickle Stealer' Malware Written in Rust Employs UAC Bypass to Exfiltrate Sensitive Data