Decoding the Inner Workings of DarkCloud Stealer

Sophisticated Malware Employs Multi-Pronged Data Exfiltration

DarkCloud is an Information Stealer Malware. It was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. Information stealers can be used to gather a variety of data, including passwords, credit card numbers, social security numbers, and other personal or financial information.

Cyble Research and Intelligence Labs (CRIL) saw a noticeable increase in the prevalence of DarkCloud Stealer, with Threat Actors (TA) employing various spam campaigns to disseminate this malware worldwide.

DarkCloud Stealer operates through a multi-stage process, with the final payload written in Visual Basic being loaded into memory during the last stage. It can exfiltrate stolen data via different methods, including SMTP, Telegram, Web Panel, and FTP.

The figure below shows the infection flow of DarkCloud stealer.

The sale of DarkCloud Stealer on a cybercrime forum was reported in January 2023. The figure below shows a DarkCloud stealer post on a cybercrime forum.

According to the TA, they are selling a program known as the “DarkCloud stealer builder”, which permits users to tailor the payload of the stealer as per their requirements. This builder also has the capability to incorporate both a “grabber” and a “clipper” functionality as part of its features.

The figure below shows the builder of DarkCloud stealer.

The TA has also claimed that the stealer can target the applications shown below.

Initial Infection

We have observed multiple spam emails that were spreading DarkCloud stealer; one example is depicted in the figure below. This email is an order invoice phishing email designed to trick the recipient into clicking on a malicious link or opening an attachment containing DarkCloud Stealer. This email appears to be from a legitimate company, such as an online retailer or a business supplier, claiming that the recipient has placed an order with them.

The initial file delivered through the spam campaign is a .Net binary (SHA 256: 9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb) and acts as a dropper. It copies itself into the “Users\\AppData\\Roaming” directory and then creates a task scheduler entry using schtasks.exe for persistence.

The figure below shows the Task Scheduler entry created by the malware.

Following this, the malware launches itself and loads the next level binary to the memory of a running process. The payload is loaded into memory as a VB file, as shown below.

Technical Details

The VB file that is currently in memory is a 32-bit executable binary with SHA256, 413c9fcea027f89b9d8905ca6ae96cc099b8886fb3916876a4029e92d56fcb9b. Within the Resource section of this VB file, there is binary content that comprises a PK archive. This archive file contains an executable named “ConsoleApp1.exe,” as shown below.

When executing the VB file, it extracts the “ConsoleApp1.exe” file from the PK archive and drops it in the following %appdata% path. Then, it runs the dropped executable file.

• C:\Users\<Admin>\AppData\Roaming\Microsoft\Windows\Templates\ConsoleApp1.exe

ConsoleApp1.exe

The “ConsoleApp1.exe” file is a 32-bit .NET compiled binary that includes the source code for the DarkCloud Stealer payload in its resource directory, as shown in the figure below.

The primary goal of the “ConsoleApp1.exe” file is to load a DarkCloud source code Stub from the project’s resource and compile it using the CompileAssemblyFromSource() method of the System.CodeDom.Compiler.CodeDomProvider class in .NET framework. The compiled binary is the payload, named “credentials.exe”, which is placed in the same directory and launched as a new process.

• C:\Users\<Admin>\AppData\Roaming\Microsoft\Windows\Templates\credentials.exe

The malware deletes the “credentials.exe” binary after running for 60,000 milliseconds (or 1 minute).

The image below displays the code snippet used to compile the resource stub into a binary executable through the CompileCode() method.

Credentials.exe

The payload “credentials.exe” is a 32-bit .NET executable that is identified as a DarkCloud Stealer with SHA256, 33fa272ffd2eac92f2a344718fa9bf678703f8194fcfcbc499ab9fefcdab4cca.

The figure below shows the file details of “credentials.exe”.

Once executed, “credentials.exe” begins to gather confidential information from multiple applications installed on the targeted system, after which it sends the stolen data to the Command and Control (C&C) server.

Password Recovery: Browsers & Email Clients

Stealing Login Details from GECKO Browsers

The ExecGGFHGFDute() method retrieves the saved usernames and passwords from various applications on the victim’s computer, including web browsers and email clients (such as Thunderbird).

This method iterates over each profile directory found in the Program.MozillaPaths dictionary, as shown in Figure 12, and checks for the existence of specific files such as logins.json, key4.db, signons.sqlite, and key3.db within each directory.

If the required files are found, the function will utilize the ExtractCredentials() and decryptLogins() methods from MozillaCreds class to extract stored usernames and passwords from the respective files. The encoded username and password values are decrypted using the Triple DES algorithm. The resulting login credentials are then appended to a string variable named “Program.datas.”

The below figure shows the code snippet of functions used to extract credentials from the victim’s machine.

Grab Credit Card & Login Details from CHROMIUM Browsers

The purpose of the Grab() method is to retrieve data related to user accounts and credit cards from Chromium-based web browsers (which could include more than 25 different browsers).

This method works by looping through a set of Chromium browser profiles specified in the “Program.ChromiumPaths” dictionary, as shown in Figure 15.

For each profile, it extracts and consolidates information about accounts and credit cards from the corresponding browser data files. The collected information is then added to a string variable named “Program.datas”.

The below figure shows the code snippet of functions used to extract credentials from the victim’s Chromium-based web browsers.

Stealing FTP Credentials

The GetWinSCP() method obtains the saved login credentials for WinSCP (an FTP client) from the Windows registry and decrypts them. For every set of credentials, the function generates a WinSCPDecrypt object and invokes its Decrypt method to decode the password using the specified host and username.

It then formats the decrypted credentials and application name in a string format and appends the resulting string to “Program.datas.” The malware can also target FTP clients such as FileZilla, CoreFTP, and FlashFXP.

The below image shows the code snippet used to extract credentials from WinSCP.

Other Functionalities

As the functionalities of DarkCloud stealer can be customized using a builder. Not all binaries will perform similar stealing functions; however, based on the builder screenshot shared by TA, we infer that this stealer can have the following functionalities:

This malware can collect system information, capture screenshots, monitor clipboard activities, and retrieve cookies, messages, and contacts (163 MailMaster) from the targeted system.

It can also obtain confidential data from various sources, including VPN services such as NordVPN, messaging applications like Pidgin, and Password Managers such as Internet Explorer and Microsoft Edge vaults.

Furthermore, it can grab certain file types like TXT, XLS, XLSX, RTF, and PDF from the targeted system and access sensitive information from cryptocurrency applications. Additionally, the malware offers a crypto-swapping feature for popular digital currencies such as bitcoin, bitcoin cash, Ethereum, and ripple.

After acquiring all the confidential data from the targeted applications, the malware stores all the gathered information in the “Program.datas” variable and subsequently saves this information in a text file named “credentials.txt”. This file is located within the same directory. The final step involves the DarkCloud Stealer transmitting the exfiltrated details to the C&C server.

Conclusion

DarkCloud Stealer has been observed in various spam campaigns in 2023. It can steal sensitive information from infected devices, including passwords, credit card numbers, social security numbers, and other personal or financial information.

The malware executes in multiple stages, culminating in loading a final payload into the memory. The data exfiltration capabilities of DarkCloud stealer include the use of SMTP, Telegram, Web Panel, and FTP. Furthermore, it has been identified as a state-of-the-art malware that can customize its payload to target different applications, making it highly adaptable.

The ongoing activities of InfoStealers represent a severe threat to the security of devices, users, and businesses worldwide.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:   

Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact 

• Don’t keep important files in common locations such as the Desktop, My Documents, etc. 
• Use strong passwords and enforce multi-factor authentication wherever possible. 
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
• Refrain from opening untrusted links and email attachments without verifying their authenticity. 
• Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Indicators of Compromise