The DarkCloud info-stealer is back in a new campaign that is using spam emails for distribution, discovered ASEC. Alongside DarkCloud, the threat actor also deploys Clipbanker, which steals crypto wallet addresses of users.

Diving into details

The email urges recipients to review the enclosed payment statement sent to the company account. Upon extracting the attachment, unsuspecting users may inadvertently activate the concealed malware, cleverly disguised as a PDF file. 
  • The attached file functions as a dropper, responsible for generating and executing DarkCloud and ClipBanker. 
  • If users download and execute the decompressed file, it can lead to the theft of various account credentials stored on the compromised system. 
  • Furthermore, there is a potential risk of cryptocurrency wallet address substitution, wherein the threat actor's address replaces the user's clipboard content, resulting in funds being sent to the threat actor's wallet during transactions.

Capabilities of DarkCloud 

  • DarkCloud is known for pilfering system information, capturing screenshots, monitoring clipboard activities, and extracting other information from the target system.
  • The malware operators claim to target Chromium-based and  Firefox-based web browsers and email clients (such as ThunderBird, Outlook, and FoxMail), and FTP client programs (such as CoreFTP and WinSCP).

A bit about ClipBanker

  • The specific ClipBanker variant utilized in this attack has been identified as "Get Cliboard Address.exe'' and functions by monitoring the clipboard. 
  • Whenever a clipboard entry matches predefined regular expressions, the entry is altered to correspond to the wallet address specified by the threat actor.

The bottom line

Different kinds of info-stealers are being propagated via different methods, including DarkCloud. Exercising utmost caution is crucial for users when dealing with email attachments from unfamiliar sources or executable files obtained from the internet. It is recommended to obtain products, including utility programs and games, exclusively from their official websites.
Additionally, users should diligently apply the latest patches for their operating systems and software, particularly internet browsers, to ensure optimal security.
Cyware Publisher

Publisher

Cyware