Ficker Malware Spread Via Websites Impersonating Microsoft Store and Spotify
Hackers Are Promoting Sites Posing as the Microsoft Store, Spotify, and An Online Document Converter That Distributes Malware to Steal Financial Information and Passwords.
You should always pay attention to the URLs you click on, even if they supposedly lead to legitimate websites. As a fact, malware is often spread via websites impersonating other well-known ones. Recently, cybersecurity firm ESET found new ones mimicking the Microsoft Store and Spotify.
According to Lawrence Abrams, threat actors are now using these fake websites to steal credit card information and passwords. So far, ESET has found a fake Microsoft Store, Spotify, and an online document converter. Hackers seem to be targeting South America for the moment, but it wouldn’t come as a surprise if more regions become targets for these attacks.
#BREAKING Beware of active infostealer campaign mimicking Microsoft Windows Store, Spotify and FreePdfConvert apps targeting countries in South America 🇵🇪🇨🇴🇦🇷. #ESETresearch @jiriatvirlab 1/3 pic.twitter.com/bizy5ie3GQ
— ESET research (@ESETresearch) April 19, 2021
Based on ESET’s report, these websites are spreading Ficker malware. Ficker is an information-stealing Trojan released on Russian hacking forums back in January when its developer began renting out the malware to other threat actors.
Ficker steals information and user credentials that are saved in web browsers, messaging apps, and FTP clients. The malware can also exfiltrate documents, take screenshots of your running apps, and steal from a user’s cryptocurrency wallet.
Jiri Kropac, Head of Threat Detection Laboratories at ESET, told BleepingComputer that the attack is carried out through malicious advertising promoting what appear to be legitimate applications.
For instance, one of the ads used in this attack promotes an online Chess application, which you can see below.
Image Source: BleepingComputer
Nevertheless, when users click on the ad, they are redirected to a fake Microsoft Store page for a fake online chess app called ‘xChess 3’, which is automatically downloaded from an Amazon AWS server.
Image Source: BleepingComputer
The downloaded zip file is called ‘xChess_v.709.zip’ [VirusTotal], which is actually the ‘Ficker’ or ‘FickerStealer’, information theft malware in disguise, as shown in BleepingComputer’s Any.Run report.
Other ads in this malware campaign claim to be from Spotify or an online document converter. When accessed, their landing pages will also automatically download a zip file containing the Ficker malware.
Image Source: BleepingComputer
If you come across any websites like the ones mentioned above, make sure it has the correct URL and certificate information.
Given Ficker malware’s extensive functionality, if you are a victim of this attack, you are advised to immediately change your online credentials, check firewalls for suspicious port forwarding rules, and perform a thorough antivirus scan of your computer to check for additional malware.