Hackers promote fake sites that "fake" the Microsoft Store, Spotify and an online document converter and distribute info-stealing malware to steal credit cards and passwords stored in web browsers. This malicious activity was discovered by the cyber security company "ESET", which issued on April 19 warning on Twitter, so that users are on the lookout for malware campaign.
In an interview with Jiri Kropac, head of ESET threat detection labs, BleepingComputer learned that attack is carried out through malicious advertisements that promote applications that appear to be legitimate but actually "infect" users with malware. For example, one of the ads used in this attack promotes a online chess application.
However, when users click on the ad, they are taken to a fake Microsoft Store cheat page XChess 3, which is automatically downloaded from an Amazon AWS server. The received zip file it is called «XChess_v.709.zip» [VirusTotal], which is actually the "Ficker" or "FickerStealer", an info-stealing malware.
Other ads from this malware campaign are supposed to be about Spotify or an online document converter. When someone visits them, their landing pages also automatically download a zip file containing Ficker malware.
Once a user unzips the file and starts the executable, instead of seeing a new online chess application or Spotify software, Ficker malware will "run" and start stealing data stored on their computer.
What is Ficker malware?
Ficker is an info-stealing trojan released on Russian-speaking hacking forum in January, so its developer started renting the malware to other malicious agents. In a forum post, the developer describes the capabilities of the malware and allows other malicious agents to rent the software from anyone, for a week to six months.
Using this malware, malicious agents can steal credentials stored in web browsers, desktop messaging clients (Pidgin, Steam, Discord) and FTP clients.
In addition to stealing passwords, the developer claims that malware can steal over fifteen cryptocurrency wallets and documents, as well as take screenshots of active applications running on victims' computers. This information is then collected in a zip file and passed on to attackers, who can later extract the data and use it for other malicious activities.
Due to the extensive functionality of Ficker malware, victims of this campaign should immediately change their online passwords, check firewalls for suspicious port forwarding rules and perform a thorough antivirus scan on your computer in order to check for additional malware.
Source of information: bleepingcomputer.com