Fake Spotify and Microsoft Store Used For Spreading Data-Stealing Malware

Researchers at ESET have discovered a new malicious campaign where threat actors are advertising sites that distribute data-stealing malware. In this campaign, legitimate sites are Microsoft Store, Spotify, etc. Users are being lured into opening the websites and install the application to have the purpose served but installing the malware behind.

Distributing Ficker Malware Through Advertising

As stealing credentials can help fraudsters exploit more resources, they’re always in a state of crafting new plans to obtain them. One such plan was discovered by ESET researchers, who warned about a campaign where the threat actors are advertising malware disguised as legitimate applications.

#BREAKING Beware of active infostealer campaign mimicking Microsoft Windows Store, Spotify and FreePdfConvert apps targeting countries in South America ????????????????????????. #ESETresearch @jiriatvirlab 1/3 pic.twitter.com/bizy5ie3GQ

— ESET research (@ESETresearch) April 19, 2021

One such example detailed by Jiri Kropac, ESET’s Head of Threat Detection Labs to BleepingComputer, is about a Chess application. Impersonating the x Chess 3, threat actors are advertising this online Chess application by various means. When unsuspecting clicks on the ad, they’ll be redirected to a fake Microsoft Store website hosted on Amazon’s AWS server.

If the user continues to download and run the application (executable), it turns out to be a Ficker (FickerStealer) malware capable of stealing sensitive data like credentials from the victim’s web browser and apps. Apart from the Chess application hosted on a fake Microsoft Store, other luring tactics impersonate Spotify and a document converter.

Researchers warned to be suspicious when interacting with such applications, as some (in the case of Spotify as above) don’t the user to manually download an application, but just visiting the website to get infected. Ficker is a data-stealing malware first seen circulating in Russian-speaking hacker forums, which the developer to buyers is renting out.

Apart from extracting the saved passwords from web browsers, Ficker can also steal over fifteen different types of cryptocurrency wallets, documents and even take screenshots of the current applications. These will be zipped in a file and transported back to the hacker’s C2.