Threat Research

DarkCloud Infostealer Being Distributed via Spam Emails – ASEC BLOG

Securonix

DarkCloud is distributed through spam emails with a dropper that also deploys ClipBanker, enabling credential theft and clipboard-based wallet address replacement. The malware family uses persistent startup via Run keys and exfiltrates data via SMTP or Telegram, targeting browser, email, and FTP credentials. #DarkCloud #ClipBanker #logxtaiShop #Booking_3798637712pdf.exe #Lilgghom.exe #Ckpomlg.exe

Keypoints

  • DarkCloud is distributed via spam emails with a malicious attachment designed to install itself and another malware.
  • The attachment is a dropper that copies itself to AppData and registers to Run for persistence across reboots.
  • ClipBanker monitors clipboard activity and replaces cryptocurrency wallet addresses with the attacker’s address.
  • ClipBanker configuration includes target wallet addresses and startup/Run behavior as shown in the table.
  • DarkCloud (VB6-based) collects credentials from browsers, email clients, and FTP clients, exfiltrating via SMTP or Telegram API.
  • Indicators show specific IOCs, including MD5 hashes, domains, email addresses, and a Telegram C2 URL.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The threat actor sent the following email to induce users to download and execute the attachment. “The threat actor sent the following email to induce users to download and execute the attachment.”
  • [T1036] Masquerading – The attachment is disguised with a PDF icon to appear legitimate. “When the attachment is uncompressed, normal users are likely to execute the contained malware as it is disguised with a PDF icon.”
  • [T1547.001] Registry Run Keys/Startup Folder – The dropper registers itself to the Run key to persist after reboots. “…registering itself to the Run key so that it can operate even after reboots.”
  • [T1115] Clipboard Data – ClipBanker monitors clipboard and changes entries to attacker’s wallet address. “When an entry that matches the following regular expressions is saved, it is changed to the wallet address defined by the threat actor.”
  • [T1555.003] Credentials from Web Browsers – Account credentials are exfiltrated from Chromium and Firefox-based browsers. “Account credential information is exfiltrated from Chromium and Firefox-based web browsers…”
  • [T1071.003] Mail Protocols – Exfiltration via SMTP used to send stolen data. “The DarkCloud being analyzed here uses both the SMTP protocol … when exfiltrating the collected information.”
  • [T1071.001] Web Protocols – Exfiltration via Telegram API for data transfer. “The DarkCloud being analyzed here uses both the SMTP protocol and the Telegram API …”

Indicators of Compromise

  • [Domain] logxtai.shop – Host used by the DarkCloud campaign. “Host: logxtai[.]shop”
  • [Email] sender-a3@logxtai[.]shop; ambulancelog@logxtai[.]shop – SMTP-related credentials context
  • [MD5] 991a8bd00693269536d91b4797b7b42b (Dropper); 7c4f98ca98139d4519dc1975069b1e9f (DarkCloud); 9441cdbed94f0fd5b20999d8e2424ce4 (ClipBanker)
  • [File] Booking_3798637712pdf.exe (Dropper); Lilgghom.exe (ClipBanker); Ckpomlg.exe (DarkCloud)
  • [URL] hxxps://api.telegram[.]org/bot5520455072:AAHt-MFGFCUL3S_w3BTtc7meWUZSJFJduq0/sendMessage – C2 channel for exfiltration
  • [Wallet] Bitcoin: bc1q462me7gxcwh0xgsja7x808a9zgr6vjmx7rt9km; Ethereum: 0x006Cb3C0469040e84f2D12a8aec59c34CE00aa31 – targets for clipboard replacement

Read more: https://asec.ahnlab.com/en/53128/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint