Threat actors are distributing a sophisticated infostealer, known as DarkCloud Stealer, in various spam campaigns. The malware operates through a multi-stage process and is capable of collecting sensitive information from a victim’s computer or mobile device.
Malware infection chain
The infection chain starts with a phishing email containing a malicious link/attachment. It purports to be from a legitimate company, such as an online retailer or a business supplier.
- Cyble researchers found a sample mail that initially distributes a dropper.
- When executed on the victim device, it copies itself into the system directory and creates a task scheduler entry for persistence.
- Once launched, it loads the final payload written in Visual Basic (VB) into the memory of an already running process.
- This VB file comprises a PK archive containing an executable file with the source code for the DarkCloud Stealer payload in its resource directory.
- The executable begins to gather sensitive data from multiple applications installed on the targeted system and exfiltrates stolen data to the C2 server via different methods, including SMTP, Telegram, Web Panel, and FTP.
Malware functionalities
DarkCloud Stealer is capable of collecting system information, capturing screenshots, monitoring clipboard activities, and retrieving data from the targeted system.
- The malware operators claim to target applications such as Chromium-based web browsers, FileZilla, CoreFTP, FlashFXP, NordVPN, Pidgin, Internet Explorer, and Microsoft Edge vaults.
- It can target certain file types from the targeted system and access sensitive information from cryptocurrency applications.
- Additionally, it offers a crypto-swapping feature for popular cryptocurrencies such as Bitcoin, Bitcoin cash, Ethereum, and Ripple.
Why the rise in activity
There has been a noticeable increase in the use of DarkCloud Stealer, from around 130 samples in Q4 2022 to over 150 samples in Q1 2023. Threat actors were observed advertising the malware on a cybercrime forum in January 2023. It could be one of the reasons for the increased activity.
Conclusion
DarkCloud Stealer has a long list of targets and several functionalities, which make it highly adaptable. To prevent such attacks and minimize the impact, users and organizations are advised to follow ample safety measures, such as antivirus and anti-phishing solutions, and stronger security controls with multi-layered visibility.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e587_shutterstock_2240464447.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3013_shutterstock_1459263791.jpg)
