Skuld: The Infostealer that Speaks Golang

MITRE Techniques

• [T1204.002] Malicious File – Upon starting, the stealer loads parameters and modules for execution. Quote: “Upon starting, the stealer will load some parameters, paths, and regular expressions, in an internal string map structure that is later used by the different supported modules.”
• [T1059.007] Command and Scripting Interpreter: JavaScript – The malware injects JavaScript into Discord by targeting the discord_desktop_core module. Quote: “injecting some JavaScript code into the ‘discord_desktop_core’ module.”
• [T1497] Virtualization/Sandbox Evasion: System Checks – Skuld runs three checks to detect a virtual environment; if VMware/VirtualBox indicators are found, it terminates. Quote: “Skuld uses three different techniques to perform this check… If any contains information related to VMware or Virtual Box, the application terminates.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – The malware disables security protections by modifying the Discord Token Protector configuration to bypass protections. Quote: “the binary finds and removes the following files… Then, it modifies the contents of the ‘%APPDATA%DiscordTokenProtectorconfig.json’ file, to disable the auto-start feature and the integrity checks of Discord, allowing the attacker to inject code in the application.”
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – It targets browser data stored by Chromium and Gecko-based browsers. Quote: “The next target of the Skuld stealer malware is the information stored by Chromium and Gecko-based browsers (the complete list of targeted browsers can be found in Appendix E – Skuld lists).”
• [T1111] Multi-Factor Authentication Interception – Skuld attempts to steal Discord backup codes as part of bypassing 2FA. Quote: “After injecting the code, Skuld tries to steal the Discord backup codes, which are an alternative to the two-factor authentication code of the user.”
• [T1033] System Owner/User Discovery – It performs hostname and username discovery as part of system information gathering. Quote: “Figure 11 Hostname and username discovery.”
• [T1082] System Information Discovery – It gathers general system info during acquisition. Quote: “Figure 12 System information discovery.”
• [T1057] Process Discovery – Skuld enumerates running processes and blocks or terminates those on a blocklist. Quote: “The third and final block of checks performed by Skuld is getting the running processes of the system and comparing them to a blocklist.”
• [T1217] Browser Information Discovery – It targets browser data, with browsers being a major data source. Quote: “The next target … information stored by Chromium and Gecko-based browsers (the complete list of targeted browsers can be found in Appendix E – Skuld lists).”
• [T1113] Screen Capture – The malware captures the screen as part of information collection. Quote: “From the system, the Skuld stealer takes a screenshot and extracts information, listed below.”
• [T1115] Clipboard Data – Clipper functionality swaps cryptocurrency wallet addresses by monitoring clipboard content. Quote: “Another functionality of the stealer is the modification of the user clipboard when it detects a cryptocurrency wallet being copied.”
• [T1560] Archive Collected Data – Browser data is archived into a zip file for exfiltration. Quote: “Once the information has been obtained, it is archived and compressed in a file called ‘browsers.zip’ and sent to the attacker.”
• [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration via Discord webhook. Quote: “Exfiltration: Once a module has completed execution, Skuld sends the stolen information to the attacker using two methods: a Discord webhook or Gofile upload service.”
• [T1567] Exfiltration Over Web Service – Gofile usage for exfiltration of files. Quote: “Gofile usage is uncommon to our analyzed Skuld samples, since, as was the case with the file stealer module, only two of the samples had it implemented.”
• [T1020] Automated Exfiltration – The malware continuously pulls data and sends it to attackers via chosen channel. Quote: “After successfully disabling the Discord protection, the binary downloads and injects a JavaScript file into Discord. … After injecting the code, Skuld tries to steal the Discord backup codes… Finally, every obtained piece of data is then exfiltrated.”