Fletchen

Fletchen is a advanced information stealing malware written in Rust, known for its anti-analysis capabilities. It targets sensitive data such as passwords, financial information and cryptocurrency wallets from compromised systems. Fletchen persistence is through autorun registry entries and scheduled tasks so it will continue to run on infected machines.

Key Insights

Fletchen is a new threat in the scene because of its ability to evade detection and analysis. It's written in Rust, a language that’s becoming popular among malware authors, making it stealthy and adaptable. It’s distributed through underground forums, the Onion website, and Telegram channels, often as a stealer as a service. This means cybercriminals can use Fletchen without developing their tools.

Anti-Analysis

Fletchen has anti-analysis measures to evade detection and hinder analysis. These include anti-debugging, code obfuscation, and environment checks to detect virtual machines or sandboxed environments. This makes it hard for security researchers to reverse engineer the malware and prolong its life in the wild.

Data Exfiltration

Once inside the system, Fletchen will harvest sensitive data. It will target data stored in web browsers, cryptocurrency wallets, and other applications where users store credentials or financial information. The stolen data will be exfiltrated to command-and-control servers controlled by the attackers, for unauthorized access and financial theft.

Known Variants

Fletchen malware adapts to campaign needs, often used for reconnaissance and lateral movement. All its variants share one thing in common: they all use the same DLL named escapi.dll

Mitigation Strategies

Use endpoint protection solutions that can detect and block information-stealing malware.
Update and patch systems to fix vulnerabilities that can be exploited by Fletchen.
Tell users not to download software from unknown sources.
Watch for suspicious network traffic.

Targeted Industries or Sectors

Fletchen’s targeting seems to be opportunistic, focusing on industries where financial transactions happen. Finance, e-commerce and cryptocurrency platforms are most at risk since they handle valuable data. The malware is distributed through underground forums so it might target various industries.

Associated Threat Actors

Although we don’t know who are the individuals or groups behind Fletchen, the fact that it’s stealer as a service means multiple cybercriminals can use it in their operations. This lowers the barrier to entry for cybercrime and more threat actors can engage in data theft and related malicious activities.