Threat Research

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit42
DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
EXTRACT IOC
Unit 42 researchers discovered a new variant of DarkCloud Stealer malware in early 2025, leveraging AutoIt compiled executables and multi-stage attack chains delivered via phishing emails and file-sharing services. This evolving campaign employs obfuscation and anti-analysis techniques to steal sensitive data including browser credentials, email passwords, and FTP logins, significantly impacting affected organizations and systems. #DarkCloudStealer #PaloAltoNetworks

Keypoints

  • DarkCloud Stealer has been active since 2022, with new variants observed in January and February 2025 using AutoIt compiled executables to evade detection.
  • The malware is primarily distributed through phishing emails containing RAR archives or phishing PDFs that prompt downloads from file-sharing services, such as hxxps://files.catbox.moe/olyfi3.001.
  • The attack chain involves a multi-stage process where the AutoIt dropper decrypts and executes shellcode that builds and runs the final DarkCloud Stealer payload in memory.
  • DarkCloud Stealer targets sensitive data such as browser-stored passwords, email client credentials, FTP login data, system information, screenshots, and credit card details.
  • It incorporates various anti-analysis techniques by detecting debugging and monitoring tools like WinDbg, Fiddler, and Wireshark while using junk code and fake API calls to hinder analysis.
  • Persistence is maintained via RunOnce registry keys, and the malware queries public IP services to obtain victim geolocation information.
  • Palo Alto Networks enhances protection against these threats with Advanced WildFire, Cortex XDR, and Cortex XSIAM solutions employing behavioral and machine learning detections.

MITRE Techniques

  • [T1566.001] Phishing – Initial access gained through phishing emails delivering malicious RAR or PDF files (‘The attack chain starts with a phishing email’).
  • [T1204] User Execution – Requires victim to execute malicious files from the phishing email (‘The RAR archive contains an executable file that eventually delivers the malicious payload’).
  • [T1053] Scheduled Task/Job – Used as a persistence mechanism and for execution (‘Persistence is achieved through an addition to the RunOnce registry key’).
  • [T1140] Deobfuscate/Decode Files or Information – AutoIt script decrypts XORed payload and shellcode to generate the final executable in memory (‘The AutoIt script builds and runs the final DarkCloud Stealer payload from the two data files’).
  • [T1555] Credentials from Password Stores – Steals saved credentials from browsers and mail clients (‘The payload attempts to retrieve saved usernames and passwords from various Chrome-based and Gecko-based browsers’).
  • [T1539] Steal Web Session Cookie – Extracts browser session data for further exploitation (‘Stealing browser and mail client data’).
  • [T1552] Unsecured Credentials – Exfiltrates decrypted credentials from mail and FTP clients (‘This sample attempts to retrieve saved login credentials from various FTP client applications’).
  • [T1528] Steal Application Access Token – Collects tokens and credentials stored by applications (‘Stolen information is consolidated into a single file for exfiltration’).
  • [T1087] Account Discovery – Malware checks user accounts (‘This sample checks for user accounts and credit card details’).
  • [T1518] Software Discovery – Detects installed software and running processes (‘Incorporates checks for analysis tools such as WinDbg, Process Explorer’).
  • [T1057] Process Discovery – Checks running processes to avoid detection (‘Includes checks for tools like Fiddler and Wireshark’).
  • [T1007] System Service Discovery – Inspect system services to evade analysis (‘DarkCloud incorporates numerous anti-analysis techniques’).

Indicators of Compromise

  • [File Hash] Malicious files in phishing campaigns – PDF file hash bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc, RAR archive hash 9940de30f3930cf0d0e9e9c8769148594240d11242fcd6c9dd9e9f572f68ac01.
  • [File Hash] DarkCloud Stealer AutoIt-compiled executables – 30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371, 1269c968258999930b573682699fe72de72d96401e3beb314ae91baf0e0e49e8.
  • [URL] Malware hosting on file-sharing service – hxxps://files.catbox.moe/olyfi3.001 used to host the malicious RAR archive.

 

Read more: https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/

Views: 29

Tags: PHISHING, DEFENSE EVASION, EXFILTRATION, SMTP, EMAIL, WINDOWS, INITIAL ACCESS, MONITOR