DarkCloud – An Advanced Stealer Malware Selling Via Telegram To Steal Data From Windows

Cyber Security News

DarkCloud is a sophisticated stealer malware that emerged in 2022, quickly positioning itself as one of the most prevalent threats in its category.

This Windows-targeting malware has evolved significantly to extract sensitive information including browser data, FTP credentials, screenshots, keystrokes, and financial information from infected systems.

The primary distribution method involves phishing campaigns, where attackers impersonate legitimate companies or disguise their attacks as payment receipts or fines.

These attacks frequently target HR departments. Additional vectors include malvertising, watering hole attacks, and deployment alongside other malware such as DbatLoader or ClipBanker.

Security researcher REXorVc0 identified DarkCloud’s extensive capabilities, noting that the malware employs a multi-stage infection process designed to evade detection.

DarkCloud (Source – RexorVc0)

“The execution and distribution of this Stealer have been driven by phishing campaigns, where attackers impersonated various companies,” REXorVc0 explained in their technical analysis.

The impact has been significant, with numerous organizations falling victim to its data theft capabilities, losing browser data, cryptocurrency wallets, and credentials to attackers operating through Telegram channels.

Infection Mechanism

DarkCloud’s infection chain begins when a victim accesses a malicious link or downloads an infected file.

Attack Chain (Source – RexorVc0)

The initial payload, typically delivered as compressed files or scripts, kicks off a multi-stage process designed to bypass security controls.

The loader downloads or extracts the next stage, often employing sophisticated obfuscation techniques. One analyzed sample utilized Base64 encoding with TripleDES encryption:-

rgbKey = bytes([0x39, 0x1C, 0x8A, 0x9E, 0x80, 0xC2, 0xF8, 0xDF])
rgbIV = bytes([0xA3, 0x4B, 0x1F, 0xEB, 0x28, 0xFE, 0x46, 0xEA])

The final stage involves injecting the stealer into legitimate Windows processes like svchost.exe or MSBuild.

This technique allows DarkCloud to operate stealthily, evading most security solutions while harvesting sensitive data from browsers, password managers, and email clients to be exfiltrated through Telegram bots.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now

The post DarkCloud – An Advanced Stealer Malware Selling Via Telegram To Steal Data From Windows appeared first on Cyber Security News.

cybersecuritynews.com