New Stealer Uses Invalid Cert To Compromise Systems

    Tuesday, November 12, 2024 In: Threat Research Print

    Date: 11/12/2024

    Severity: Medium

    Summary

    The Fickle Stealer, a new Rust-based information stealer, has emerged in May 2024. It spreads through phishing, drive-by downloads, and exploit kits, often using malicious attachments or invalid certificates to compromise systems. Once installed, it bypasses security measures like User Account Control (UAC) and steals sensitive data such as passwords, credit card details, and cryptocurrency wallet info. It can also download additional payloads, take screenshots, and self-delete after execution to avoid detection.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://185.213.208.245

    https://trustedsource.org

    IP Address

    185.213.208.245

    Hash

    f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66

4291bad1e35d8a8cdd7c9f5d1bdfdc0e9a1f1c956f9d348a3a068f2c854f54b1

022bf939e575b38578560fbba65a4cbebc43e5fbb54983fc845dbbc81420ff7c

94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b

7f5765e368b5ee21568b1d208cad821f01d8c1520ff7789529494db69d45c257

2357bdb0f5b32ad86c8b0b6ae44ae8e47eb17327f1aac400b971b95e8648edd0

2105c78e2d975be2e83f16eaaa4120aba22e19e37ba1c8aedabd6922725b3f99

47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://185.213.208.245" or url like "http://185.213.208.245" or userdomainname like "https://trustedsource.org" or url like "https://trustedsource.org"

    Detection Query 2

    dstipaddress IN ("185.213.208.245") or ipaddress IN ("185.213.208.245") or publicipaddress IN ("185.213.208.245") or srcipaddress IN ("185.213.208.245")

    Detection Query 3

    sha256hash IN ("f080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66","4291bad1e35d8a8cdd7c9f5d1bdfdc0e9a1f1c956f9d348a3a068f2c854f54b1","022bf939e575b38578560fbba65a4cbebc43e5fbb54983fc845dbbc81420ff7c","94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b","7f5765e368b5ee21568b1d208cad821f01d8c1520ff7789529494db69d45c257","2357bdb0f5b32ad86c8b0b6ae44ae8e47eb17327f1aac400b971b95e8648edd0","2105c78e2d975be2e83f16eaaa4120aba22e19e37ba1c8aedabd6922725b3f99","47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973")

    Reference: 

    https://www.trellix.com/blogs/research/new-stealer-uses-invalid-cert-to-compromise-systems/     


    Tags

    Fickle StealerData StealerRust MalwareMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.