A new DarkCloud campaign targeting Microsoft Windows users was uncovered, beginning with a phishing email containing a malicious RAR attachment that executes a multi-stage attack to steal sensitive information. The malware uses sophisticated techniques such as fileless payload deployment, process hollowing, and anti-analysis mechanisms to collect credentials, payment data, email contacts, and exfiltrate them via SMTP. #DarkCloud #ProcessHollowing #FortinetFortiGuard
Keypoints
- DarkCloud is a stealthy Windows-based information stealer spreading via phishing emails with a malicious RAR archive containing a JavaScript file.
- The attack chain involves obfuscated JavaScript that decodes and executes Base64-encoded PowerShell code to load an encrypted, fileless .NET DLL disguised as a Task Scheduler module.
- The .NET DLL establishes persistence by copying the JavaScript file and adding a registry autorun entry, then downloads and deploys the DarkCloud payload via process hollowing into MSBuild.exe.
- The DarkCloud payload is written in Visual Basic 6, implements more than 600 encrypted strings for anti-analysis, and uses keyboard and mouse activity detection to evade sandbox environments.
- It harvests sensitive data including saved browser credentials, payment information, FTP and email client credentials, and email contacts from various popular software.
- Collected data is saved into local text files and exfiltrated using SMTP with encrypted email attachments containing victim system information in the subject line.
- Fortinet’s security services such as AntiSPAM, Web Filtering, IPS, and AntiVirus currently protect customers against this campaign through detection of malicious URLs, email, and files.
MITRE Techniques
- [T1204] User Execution – Victims are tricked into opening a malicious RAR attachment and executing the embedded JavaScript file (‘phishing email containing an attached RAR archive’).
- [T1059] Command and Scripting Interpreter – Execution of obfuscated JavaScript and decoded PowerShell scripts to deploy the payload (‘it dynamically decodes a piece of PowerShell code from the obfuscated code’).
- [T1543] Create or Modify System Process – Persistence is established by adding an autorun entry to the registry and copying the JavaScript file (‘add an auto-run entry to the system registry under HKCU…’).
- [T1106] Native API – Use of Windows APIs for process hollowing in MSBuild.exe (‘CreateProcess(), ReadProcessMemory(), VirtualAllocEx(), NtUnmapViewOfSection(), WriteProcessMemory(), GetThreadContext(), SetThreadContext(), and ResumeThread()’).
- [T1055] Process Injection – Injection of DarkCloud payload into MSBuild.exe via process hollowing (‘process hollowing on the newly created MSBuild.exe process’).
- [T1036] Masquerading – .NET DLL is disguised as Microsoft.Win32.TaskScheduler to evade detection (‘disguised as a TaskScheduler-related module’).
- [T1083] File and Directory Discovery – Traverses browser profiles and application folders to collect stored credentials and data (‘DarkCloud traverses the profile paths of the browsers…’).
- [T1115] Clipboard Data – Collects sensitive data such as credentials and payment cards from browser SQLite databases (‘executes two SQL queries… to retrieve the data for the logins and credit_cards tables’).
- [T1114] Email Collection – Harvests email contacts from multiple installed email clients (‘retrieves the victim’s email contacts from multiple email clients’).
- [T1041] Exfiltration Over C2 Channel – Data exfiltrated over SMTP protocol with credentials and system info in email (‘submitted to the attacker via the SMTP protocol’).
- [T1562] Impair Defenses – Anti-sandbox techniques by monitoring mouse and keyboard input to evade automated analysis (‘DarkCloud repeatedly calls the GetAsyncKeyState() API and checks its result’).
Indicators of Compromise
- [URL] Malicious payload hosting and download URLs – hxxps://archive[.]org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg, hxxp://paste[.]ee/d/0WhDakVP/0
- [File Hash] Malicious JavaScript file – Quote #$_260627.js: 381AA445E173341F39E464E4F79B89C9ED058631BCBBB2792D9ECBDF9FFE027D
- [File Hash] DarkCloud payload executable – 82BA4340BE2E07BB74347ADE0B7B43F12CF8503A8FA535F154D2E228EFBEF69C
- [File Name] JavaScript file related to persistence – edriophthalma.js copied to C:UsersPublicDownloads