"Once information is sent back to Ficker's C2, the malware owner can access and search for all exfiltrated data. I’ve changed my password and I don’t know what else to do. The emails ask users to click a hyperlink to confirm their accounts, in order to remove any restrictions on their Spotify accounts. In the past week I’ve gotten two notifications, one about a login from France and another from Russia. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established," the researchers said. A phishing campaign is attempting to steal login credentials from Spotify users, according to researchers at AppRiver. "The malware also has screen-capturing abilities, which allow the malware's operator to remotely capture an image of the victim's screen. Also worthy of particular note is that, unlike traditional information stealers, Ficker is designed to execute the commands and exfiltrate the information directly to the operators instead of writing the stolen data to disk.
"Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will often reach out to its command-and-control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download," BlackBerry researchers said.Īside from relying on obfuscation techniques, the malware also incorporates other anti-analysis checks that prevent it from running on virtualized environments and on victim machines located in Armenia, Azerbaijan, Belarus, Kazakhstan, Russia, and Uzbekistan.
0 kommentar(er)
