Most types of malware are designed to steal your credentials, including sensitive information like your credit card details and personal identity, and even hijack your files. Malware usually enters a person's computer discreetly, often through email attachments, or more commonly, via social engineering attacks.

One particularly worrying strain of malware is FickerStealer, a common information-stealing piece of software that's been making the rounds since 2020. So what is it? What does it do? And if you are affected, what can you?

What Is FickerStealer?

FickerStealer was first detected in August 2020 on the dark web. It's a popular information stealer, primarily targeted at Windows systems, that was first sold as a malware-as-a-service (MaaS) program on Telegram for around $200. At the time, FickerStealer was available with different capabilities, with the price going as high as $900.

FickerStealer can steal sensitive information stored on a victim's computer, including:

  • Cryptocurrency wallet addresses.
  • Passwords from web browsers.
  • Credit card details.
  • SSH passwords or FTP login information.
  • Computer login passwords.
  • Any credentials stored by the Windows Credential Manager.

FickerStealer promoted itself by claiming that it could steal sensitive information from more than 40 browsers, including all the popular ones like Chrome, Opera, Firefox, and Edge.

Once it hacks into a browser, the malware was capable of stealing data and relaying it back to the malware sender. If you were using an FTP client or an email app like Outlook or Thunderbird, FickerStealer was capable of stealing information from those as well.

And it's capable of gathering all information from your computer, including the processor, installed applications, CPU usage, and was capable of taking screenshots too.

FickerStealer was written in Rust and Assembly, programming languages that are incredibly efficient and fast-loading. Rust itself is a fairly complex language, which makes it slightly more difficult to reverse-engineer.

Buyers would gain access to a web-based panel, which would allow them to review any information they had stolen from victims.

How Does FickerStealer Infect Your Computer?

Red screen on a laptop indicating malware infection

Like most malware, FickerStealer was distributed using a variety of different techniques.

Email Spam Campaigns

These emails are often carefully disguised to offer something valuable, and if an unsuspecting individual downloads an attachment, the malware is instantly injected into the file system. It's one of the most common ways through which malware spreads.

These emails are often disguised to look important, and may even seem official in nature. They contain attachments that are disguised as seemingly harmless files, including .zip or .rar attachments. But as soon as a person downloads them, it executes a script that infects their device.

Unofficial Downloads of Cracked Software

Harmful malware like FickerStealer is commonly distributed using "cracked" or risky software downloads. Many people download cracked software programs from unofficial sources like hosting mirrors or torrents.

In most cases, these programs are infected with malware like FickerStealer. To encourage more downloads, malicious actors often claim to offer cracked versions of popular software like Microsoft Office or new video games. It's always important to carefully check important things before you download files online, like the authenticity of the site.

Software Activation Tools

FickerStealer could also spread easily through unofficial software activation tools. Used for piracy, these are designed to remove DRM restrictions and to allow people to use restricted software without a license key.

A common example is a Keygen, or a key generator. They often contain malicious files and can infect your computer as soon as you execute the program.

FickerStealer was distributed heavily this way. Since it was sold as an MaaS, malicious actors had the ability to customize the capabilities of the program based on how they wanted to distribute it.

A Computer Screen with a "Malware Found" alert box

Unlike conventional malware, this was sold as a service. So, once the buyer reached a deal, they would receive the customized malware package, including the server setup and the executable file.

The malware distributor also required the C&C (command and control) server's address, so they could customize the malware's code to communicate with the buyer's server.

Since FickerStealer doesn't have any dependencies, it could run without downloading any additional libraries, making it incredibly fast. And, unlike other malware, it didn't rely on the HTTP protocol to communicate with the C&C server.

The communication was fully encrypted on the client-side using a XOR rotation, so data was generally difficult to decrypt. More importantly, FickerStealer never kept any logs.

As soon as the malware stole the data, it would just relay it to the C&C server, making it much more difficult to detect. Conventional malware generally writes the data and stores it in a temporary folder before sending it to the C&C server.

How to Remove FickerStealer

FickerStealer primarily targets Windows systems, so the following suggestions are mainly for users running that system.

Use a Robust Antivirus App

Antivirus protection is necessary to detect, quarantine, and remove malicious software from your computer. There are several popular antivirus apps for Windows 11, and it's highly recommended that you use a reputable one, like Kaspersky, to protect your computer.

In case your computer is infected with FickerStealer, your antivirus will detect it and remove the infected files. This is perhaps the most important step, because in the case of malware, prevention is the best cure.

Antivirus apps periodically scan your computer to detect any malware or harmful programs like computer worms, and then quarantine the infected files.

Format Your File System

This isn't generally a recommended method, but if you don't have any sensitive files on your computer and need to get rid of FickerStealer, you might want to consider formatting the hard drive altogether. This really should be the last measure you consider, though.

Formatting the drive is going to remove all the files on the drive, including your operating system (if it's on the same drive), so you may have to reboot and install the operating system again.

Stay Safe When Browsing the Web

Malware often spreads through suspicious files and email attachments. It's important that you avoid downloading any untrustworthy files on your computer, especially from unofficial sources.

Also, if you receive an email from an unofficial source, be very cautious when opening it. Most email service providers now have malware scanning tools built in, so you will get a notification in case a file is infected.

And, if you plug in a new internal drive, either a solid state or a hard drive, make sure you format it before you start using it.