ClickCease Fickle Malware Leads to UAC Bypass and Data Exfiltration - TuxCare

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Fickle Malware Leads to UAC Bypass and Data Exfiltration

Wajahat Raja

July 5, 2024 - TuxCare expert team

A new Rust-based malware called Fickle Stealer has emerged, targeting sensitive information through multiple attack vectors. Fortinet FortiGuard Labs reports that Fickle malware is distributed via four main methods: VBA dropper, VBA downloader, link downloader, and executable downloader. Some of these methods utilize a PowerShell script to bypass User Account Control (UAC) and deploy the malware.

PowerShell Script Exploitation

The PowerShell script, identified as “bypass.ps1” or “u.ps1,” not only bypasses UAC but also collects and transmits victim information. The script sends data such as the victim’s country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker. This method ensures the attacker remains updated on the status and location of the compromised systems.

Fickle Malware – Stealthy Execution and Data Exfiltration

As per recent reports, the Fickle malware employs a packer to protect its payload, running several anti-analysis checks to avoid detection in sandbox or virtual machine environments. Once these checks are passed, the malware communicates with a remote server, sending the harvested data as JSON strings. The malware targets information from various sources, including crypto wallets, web browsers like Google Chrome, Microsoft Edge, Brave, Vivaldi, and Mozilla Firefox, and applications such as AnyDesk, Discord, FileZilla, Signal, Skype, Steam, and Telegram.

Rust Malware Analysis

Security researcher Pei Han Liao notes that Fickle Stealer not only targets popular applications but also searches for sensitive files in directories commonly used for software installations. The malware can export files with extensions such as .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat. This extensive data gathering ensures that a wide range of valuable information is exfiltrated.

Advanced Attack Techniques

Fickle Stealer’s deployment methods are sophisticated. Attackers download a PowerShell script to set up the malware, sometimes using an additional file to facilitate the download. The primary goal of the script is to bypass UAC and execute the malware. The script also schedules a task to run another script, engine.ps1, after a delay, which uses both legitimate and fake WmiMgmt.msc files to maintain stealth. This technique, known as Mock Trusted Directories, allows the malware to execute with elevated privileges without triggering a UAC prompt.

Constant Communication and Updates

The PowerShell scripts, including u.ps1, engine.ps1, and inject.ps1, frequently send status updates to the attacker via a Telegram bot. These scripts download and execute tgmes.ps1 with each message, which is stored temporarily and deleted after execution. The information stealing malware continuously sends victim details to the attacker, ensuring they remain informed and can update the attack as needed.

Similar Threats

The discovery of the Fickle malware comes alongside revelations about AZStealer, an open-source Python-based information stealer. Available on GitHub, AZStealer has been advertised as a highly effective Discord stealer. It infiltrates stolen information by zipping it and sending it through Discord webhooks or uploading it to Gofile before transmission.


The rust malware exemplifies the growing sophistication of malware, utilizing multiple attack vectors and advanced techniques to harvest sensitive information while evading detection. The continuous updates and flexible target lists make it a persistent threat, emphasizing the need for robust cybersecurity measures and vigilant monitoring to protect against such complex threats.

The sources for this piece include articles in The Hacker News and Security Affairs.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter