Approaching stealers devs: a brief interview with EncryptHub (Fickle Stealer)
To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are dominating it. Always remember that behind every user of the Internet there is another human like you, so if you can be kind enough to reach them and they agree, you can have a little talk. Asking things is not a crime.
Please note everything that stated on this blog has only an informational purpose. I will never promote the use of these products.
Let’s see, Fickle Stealer, a brief talk with EncryptHub:
The interview was made in English. Original text is provided below.
What is Fickle Stealer?
It’s hard to summarize briefly, but we aimed to create a minimally detectable stealer that can persist on the system and quickly perform the assigned tasks. We tried pure Go Lang, Python, and Rust. Many researchers have seen parts of stealers like *Kematian*. Yes, I was searching for a universal way to deploy payloads, and I found PowerShell to be a good option. It’s really flexible and has many useful features that help in this work. I dismantled the *Kematian* stealer and started figuring out how it works, and I liked it. However, it had a huge problem with detection because it used very noisy shellcoding. I stripped out the excess, simplified the code, added new functionality to the script, several backup channels for log retrieval, and completely disconnected it from the main panel, which was really inconvenient. They had a pretty good and convenient browser decryption tool written in Go, but it was outdated and couldn’t process new cookie and password formats. I refreshed the code structure, added cookie collection for modern Chromium browsers, and integrated it into the RAT. It now runs almost immediately after the computer connects, and within half a minute, we receive the log. The stealer is still being improved, but its main advantage is reliability. It’s a lightweight, universal script that doesn’t fail. Yes, there are various complexities, but everything is fixed and added. A huge thanks to the developers of *Kematian* for their suggestions during the rebuild stages. And that’s how it came to life in dozens of modifications with different features, some of which were written under the supervision of antivirus software for real testing.
Is there a history behind the name Fickle?
Yes, the name was given by a researcher from *Fortinet*. I really don’t understand what prompted him to do so, but it turned out to be suitable. Indeed, some builds changed their operation algorithms depending on the detected antivirus in the system to ensure maximum exfiltration efficiency. There were also builds that scanned the entire system for compatible applications and injected Fickle code into them. I tried to keep them functional. It was a great way to persist in the system and elevate local privileges to run code.
The Fickle Stealer has a banner of Encrypthub. What is Encrypthub?
I liked the banners in different stealers. I personally studied every interesting sample, and each had its own banner. I didn’t want to create another no-name, so temporarily, with partners, we set up *EncryptHub* (these were still test samples, and no one thought everything would turn into a suite of tools). But there’s nothing more permanent than temporary. As a result, we ended up with the name for a range of products. It’s both funny and a bit naughty.
What makes Fickle different from other products?
Its main feature is reliability. It delivers results on systems where StealC or Rhadamantys would never work. Fickle easily passes high-quality corporate antivirus systems, and we were confident that we’d get results. Currently, we use it as the main stealer and a preparatory step to launch heavier programs, such as disabling protection or manually creating exceptions with EncryptRat.
I’ve seen the Fickle stealer being used in the wild deployed from unusual files such as .ppkg and .msc. These are interesting malware builds that are not usually found. Can you explain a little bit more about these new malware techniques?
The concept of malicious .exe and .msi files is totally outdated. We need something new, which is why there’s constant research into new delivery methods that bypass security measures. Thanks to the flexibility of invoking the stealer, almost any file that allows command execution can be used. These delivery methods, when they appeared, were completely undetectable by antivirus systems, which is essential for use in traffic. hey were very helpful for delivering payloads stealthily, and once persistence is achieved in the system, it’s not hard to analyze. There will be more, and I’m constantly searching for vulnerabilities to use in Fickle. MSC EvilTwin is an example, and now the buzz around .ppkg files has started, but there are already a few ready-made alternatives that can be adapted. It’s more interesting to read a report from a specialist describing not just a typical .exe dropper but something more interesting and new. It’s even fun sometimes.
The Infosec industry has reported these techniques, issuing a controversial CVE and a “fix.” What do you think of this?
Honestly, I didn’t even look at what they fixed. The first thing I did was install the latest updates on a test PC, run the payload, and I was a bit surprised that everything still works. The problem remains and hasn’t been correctly fixed. They should have completely disabled this snap-in and blocked foreign consoles entirely, but they pretended to react without actually changing anything. The firewall management console still breaks systems as it did before. Yes, I had to update some scripts to avoid detection, but nothing serious happened. Windows has many such logical flaws, and fixing one leads to several new issues. This small hack helps run payloads with maximum rights, bypassing User Account Control and the prompt when launching. It’s really convenient, but losing this tool wouldn’t be critical. Maybe I should tell them how to fix this hole, I don’t even know anymore.
How many people do you think have used Fickle? Approximately?
If you’re talking about attackers — not many. It’s a fairly private tool, and most people haven’t even seen its binary files. It’s an integral part of another product, EncryptRat, and they are tightly linked. If you mean in terms of computers, it has been on a huge number of machines, but I can’t even estimate an approximate number. In the wild, inactive samples are still found in regular applications.
Since when has the stealer been operating?
The stealer is about a year old, but it’s constantly being modified and updated, sometimes even during its operation.
In actuality, the Fickle stealer is the only and main stealer tool in the ZeroDay traffer Team (formerly Marko Polo) for Windows work. Encrypthub existed as a traffer team before, but decided to merge with ZeroDay, and now there’s only one team. What do you have to say about this?
No matter how good or bad the software is, someone has to work with it. Historically, we have known the participants of the *ZeroDay Traffer Team*, and they constantly tested new payload versions in real conditions. Eventually, we decided to develop it as the main one since it turned out to be more convenient, faster, and easier to integrate than StealC, which was the main tool at the time but was too *noisy* from the perspective of antivirus detection.
As a unique provider for a major traffer team, how do you see the future in the NFT scam work?
Let’s say this: as long as there’s something to steal, they will try to do it. Researchers will interfere and create new protections, but they won’t do anything fundamentally new. Cookies are intercepted, wallets are grabbed from PCs and bruteforced, and theft operations will continue as they have always been. Maybe names will change, but the process is eternal. This is my personal opinion.
How do you see the market? Is this a good time to work?
Right now, it’s not the best time. People are scared, there are many “noisy” operations related to exchanges, like *Lazarus*, everyone is afraid to download or install anything, teams are falling apart, and social engineers need to put in extra effort to convince people to install software. But, those who are looking will always find delivery methods. The market needs updates, changes in working principles, something radical. All methods are heavily overused now. Even some vulnerable official domains don’t help in delivering payloads; there’s strong caution, even when delivering files from antivirus company websites.
Does Fickle Stealer work in the CIS countries?
No, and it never will. I didn’t set a strict block in the stealer itself, since users are clever and use CIS VPNs. But if the log belongs to someone from the CIS, it won’t be touched. I can vouch for this because I know who works in the team and their moral principles. Yes, I understand there might be controversy about the lack of blocking, but it’s not a public tool, and it’s used by a narrow circle of specialists.
What would you say to those “information security experts” trying to track Fickle Stealer?
What can I say? They cause a lot of damage, break servers, brute-force control panels, and have been seen in DDoS attacks on our servers. But I’m just waiting for them to realize that shutting down the server won’t change anything. We’ll just set up a new one, and they’ll have to find it again. If we’re not around, others will be. If it weren’t for our efforts, you guys wouldn’t have any work, so at least show some respect for that. On the other side, there are specialists just as good as you. Instead of sabotaging, learn how to fix problems. We give hints.
Extra
Dear reader,
Remember to check the other interviews at: g0njxa — Medium
Expect more content, if possible.
My best wishes to you ❤
