Threat Research: DarkCloud Malware

Introduction: What is DarkCloud?

DarkCloud is an Information Stealer Malware that was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. The builders of DarkCloud state that threat actors will be able to tailor the payload of the stealer based on their needs. DarkCloud Stealer operates through a multi-stage process, with the final payload written in Visual Basic, being loaded into memory during the last stage. It can exfiltrate stolen data via different methods, including SMTP, Telegram, Web Panel, and FTP (File Transfer Protocols).

Attack Pattern: Phishing Emails

DarkCloud Stealer is delivered via phishing emails with malicious ZIP/RAR attachments. These emails have focused on order invoices designed to trick the recipient into clicking on the malicious link or file. Many of the emails look like they are from a legitimate company and ask the recipient to provide their banking details. Once the malicious link or file is opened it acts like a dropper and copies itself into the user’s directory before creating a task schedule entry for persistence. The malware is then launched and loads the next level binary to memory as a Visual Basic (VB) file. This VB file contains an executable file that includes the source code for the DarkCloud stealer payload. The source code allows the payload to be executed and begins gathering confidential information from multiple applications on the targeted system that is then communicated back to the Command-and-Control server.

DarkCloud Capabilities

Information stealers can be used to gather a variety of data, it is assessed that DarkCloud has the below capabilities:

Extract any stored usernames and passwords from the victim’s machine.

Retrieve data related to user accounts and credit cards from Chromium-based web browsers.

Target FTP clients such as FileZilla, CoreFTP, and FlashFXP.

Collect system information to include capture screenshots, monitor clipboard activities, and retrieve cookies, messages, and contacts from the targeted system.

Obtain confidential data from various sources, including VPN (Virtual Private Network) services such as NordVPN, messaging applications like Pidgin, and Password Managers such as Internet Explorer and Microsoft Edge vaults.

Grab certain file types like TXT, XLS, XLSX, RTF (Rich Text Format), and PDF from the targeted system.

Access sensitive information from cryptocurrency applications to include a crypto-swapping feature for popular digital currencies such as bitcoin, bitcoin cash, Ethereum, and ripple.

Targeted Technology

Windows Endpoint OS

Conclusion: Investing in Employee Training and Awareness

There has been a spike in threat actors using DarkCloud via spam campaigns in the first quarter of 2023. This increase in activity is likely due to the adaptability of the information stealer to be modified to work with different applications. Information Stealers represent a severe threat to the security of devices, users, and businesses worldwide. Organizations should remain vigilant and take appropriate steps to protect themselves from these types of threats, including implementing strong cybersecurity measures, investing in employee training and awareness, and regularly updating their security protocols. 

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: