DarkCloud Stealer is a multi-stage information-stealer that can exfiltrate data via SMTP, Telegram, Web Panel, and FTP, and is distributed through spam campaigns with a customizable builder for grabber and clipper features. Researchers observed a rise in DarkCloud activity in 2023, including globally spread campaigns and a loader/payload chain that loads into memory before exfiltration. #DarkCloudStealer #DarkCloud
Keypoints
- DarkCloud is an information stealer designed to harvest passwords, credit cards, social security numbers, and other sensitive data from compromised devices.
- Prevalence increased in 2023 with threat actors using spam/phishing campaigns to disseminate the malware worldwide.
- The infection unfolds in multiple stages, ending with a final payload loaded into memory (VB file) and exfiltration via multiple channels (SMTP, Telegram, Web Panel, FTP).
- A customizable βDarkCloud stealer builderβ lets operators tailor payloads with grabber and clipper features for targeted apps.
- Initial infection relies on phishing emails (order invoices) that trick users into clicking malicious links or attachments.
- Credential access targets browser data (Firefox Gecko and Chromium-based), WinSCP and FTP clients, decrypting credentials with Triple DES and aggregating results.
- Exfiltrated data is stored (e.g., credentials.txt) and sent to a C2 server; the malware can collect system info, cookies, messages, contacts, and more.
MITRE Techniques
- [T1566.001] Phishing β The malware is spread via phishing emails designed to trick recipients into loading DarkCloud Stealer. β[This email is an order invoice phishing email designed to trick the recipient into clicking on a malicious link or opening an attachment containing DarkCloud Stealer.]β
- [T1204] User Execution β Initial infection relies on user action through clicking malicious links or opening attachments in phishing emails. β[an order invoice phishing email designed to trick the recipient into clicking on a malicious link or opening an attachment containing DarkCloud Stealer.]β
- [T1053] Scheduled Task/Job β Persistence by creating a Task Scheduler entry with schtasks.exe. β[creates a task scheduler entry using schtasks.exe for persistence.]β
- [T1140] Deobfuscate/Decode Files or Information β Decrypting credentials and loading payloads; the VM/PK archive contains embedded data used to assemble the final binaries. β[the encoded username and password values are decrypted using the Triple DES algorithm.]β
- [T1555] Credentials from Password Stores β The malware retrieves saved usernames and passwords from browsers and email clients. β[The ExecGGFHGFDute() method retrieves the saved usernames and passwords from various applications on the victimβs computer, including web browsers and email clients (such as Thunderbird).]β
- [T1539] Steal Web Session Cookie β Targeting cookies as part of credential access (cookies, messages, and contacts). β[retrieve cookies, messages, and contacts (163 MailMaster) from the targeted system.]β
- [T1552] Unsecured Credentials β Decryption of credentials in transit/at rest (Triple DES) and collection of unencrypted credentials stored by applications. β[encoded username and password values are decrypted using the Triple DES algorithm.]β
- [T1528] Steal Application Access Token β The toolkit can exfiltrate tokens or access credentials used by applications. β[Steal Application Access Token β¦]β
- [T1087] Account Discovery β The malware enumerates profile directories (e.g., Mozilla paths) to locate credential files. β[This method iterates over each profile directory found in the Program.MozillaPaths dictionaryβ¦]β
- [T1518] Software Discovery β The stealer targets multiple applications (e.g., Gecko-based browsers) shown in figures, implying discovery of installed software for credential theft. β[The stealer can target the applications shown below.]β
- [T1071] Application Layer Protocol β Exfiltration of stolen data via common network protocols (SMTP, Telegram, Web Panel, FTP). β[The final step involves the DarkCloud Stealer transmitting the exfiltrated details to the C&C server.]β
Indicators of Compromise
- [SHA256] Spam email β 5d060254a6d7eb2cdb2031e29891cb95206757a28fe0d51569eb9f7f55637ac6
- [SHA256] Spam email β 79b13d9a52d466a606c37b8f12b2ef7af4e9b53a911b70427c07cb73adb504a1
- [SHA256] Malicious ZIP archive β 2e60ed90aa6cefa60cc4cd968213549ddf578dcf6968d8c66366d09c7108ef56
- [SHA256] DarkCloud Stealer Loader β 9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb
- [SHA256] VB exe β 413c9fcea027f89b9d8905ca6ae96cc099b8886fb3916876a4029e92d56fcb9b
- [SHA256] CUSTOM102.bin (PK file) β e342802bd53191559af2a23b2d11412a8fe60dc3a50e5efa1fade7067c305f55
- [SHA256] ConsoleApp1.exe β 51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb
- [SHA256] DarkCloud Stealer (Credentials.exe) β 33fa272ffd2eac92f2a344718fa9bf678703f8194fcfcbc499ab9fefcdab4cca
Read more: https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/