Threat actors are promoting sites impersonating the Microsoft Store, Spotify music service, and an online document converter on the Web. Fake sites distribute malware to steal credit card information and passwords saved in web browsers.

According to experts from ESET, one of the advertisements prompted users to install an online Chess application. When users click on the ad, they are redirected to a fake Microsoft Store page with the xChess 3 app, which is automatically downloaded from the Amazon AWS server.

The downloaded zip file is named xChess_v.709.zip, which is actually the Ficker (or FickerStealer), information stealing malware in disguise.

Other advertisements from this malware campaign pretend to be for Spotify music service and online document converter. When the pages are visited, a zip file containing the Ficker malware is also automatically downloaded.

Once a user unzips the file and launches the executable, instead of installing a new Chess app or Spotify software, the Ficker malware will run and begin stealing data stored on the computer.

Ficker is an information stealing trojan released in January this year. Ficker operators can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord) and FTP clients. According to the developer, in addition to stealing passwords, the malware can steal addresses of more than fifteen cryptocurrency wallets, steal documents and take screenshots of active applications running on victims' computers.

The collected information is then compiled into a zip file and transmitted back to the threat actors, where they can extract the data and use it for their own purposes.

Source: securitylab.ru