June 7, 2021 By David Bisson 2 min read

People tend to be less guarded when they’re dealing with something familiar. Digital attackers know this, which explains why they set up malware behind ads pretending to be for Microsoft Store products and Spotify.

Bleeping Computer learned from ESET that the attackers were using malicious advertisements as part of their attack chain. Once clicked, those ads sent users to the Spotify or Microsoft Store scam websites harboring samples of the Ficker stealer family.

Read on to learn how these websites enticed visitors to infect themselves with malware.

Want a Legit App? Well, Here’s Some Malware Instead…

The attackers used malicious ads to lure in users with promotions for real apps.

Security researchers spotted one ad promoting an online chess app, for example. When clicked, the ad sent users to a fake Microsoft Store page. Clicking on the ‘Download Free’ button retrieved a malware payload disguised as xChess_v.709.zip from an Amazon AWS server.

Some of the other malicious ads directed users to a landing page offering a free bundle of Spotify Music and YouTube Premium for 90 days. No such bundle existed as of this writing.

The website then instructed visitors to click on a ‘Download Free App (1 MB)’ button. It’s worth noting that no music player is that small in size. At this time, the actual size of the real Spotify mobile and desktop apps was at least 150 MB.

Both of those apps downloaded Ficker onto a victim’s device. This malware is capable of stealing users’ passwords, taking screenshots of their computers and lifting documents.

Other Recent Attacks Involving Ficker

Malware analysts took to Twitter to expose Ficker in October 2020. At that time, they observed the malware developer renting out Ficker on Russian-speaking cracker forums.

In the months that followed, researchers learned more about how the digital threat works and observed the malware in action. One of the first eureka moments came from Minerva in early March, when its researchers witnessed Ficker download the Kronos RAT in a lab setting.

A few weeks later, Infoblox detected a malspam campaign that used DocuSign-themed lures to install the Hancitor Trojan downloader with the help of malicious Microsoft Word documents. Hancitor then proceeded to download other payloads containing Cobalt Strike and Ficker.

Defending Against This Ficker Campaign

Organizations can defend against Ficker by focusing on their data protection efforts. This begins with applying encryption to their sensitive information. In doing so, organizations can render their information useless if it ends up in attackers’ hands. At the same time, they can satisfy the provisions of many regulations.

The reality is that organizations can’t implement encryption unless they locate and prioritize their data. Once they know what they have, they can apply encryption to their most sensitive information assets. They can then use monitoring and alerting capabilities to warn of suspicious activity involving their data.

At the same time, organizations can use security awareness training to educate their employees about malware distribution campaigns. They can also use threat intelligence to keep up with new attacks and help employees spot indicators of potentially suspicious activity.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today