Cyble – Decoding The Inner Workings Of DarkCloud Stealer

Sophisticated Malware Employs Multi-Pronged Data Exfiltration

DarkCloud is an Information Stealer Malware. It was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. Information stealers can be used to gather a variety of data, including passwords, credit card numbers, social security numbers, and other personal or financial information.

Cyble Research and Intelligence Labs (CRIL) saw a noticeable increase in the prevalence of DarkCloud Stealer, with Threat Actors (TA) employing various spam campaigns to disseminate this malware worldwide.

Figure 1 QoQ increase in DarkCloud Stealer samples in the wild
Figure 1 – Q-o-Q increase in DarkCloud Stealer samples in the wild

DarkCloud Stealer operates through a multi-stage process, with the final payload written in Visual Basic being loaded into memory during the last stage. It can exfiltrate stolen data via different methods, including SMTP, Telegram, Web Panel, and FTP.

The figure below shows the infection flow of DarkCloud stealer.

Figure 2 Infection Flow
Figure 2 – Infection Flow

The sale of DarkCloud Stealer on a cybercrime forum was reported in January 2023. The figure below shows a DarkCloud stealer post on a cybercrime forum.

Figure 3 Post on a Cybercrime Forum
Figure 3 – Post on a Cybercrime Forum

According to the TA, they are selling a program known as the “DarkCloud stealer builder”, which permits users to tailor the payload of the stealer as per their requirements. This builder also has the capability to incorporate both a “grabber” and a “clipper” functionality as part of its features.

The figure below shows the builder of DarkCloud stealer.

Figure 4 DarkCloud Stealer Panel
Figure 4 – DarkCloud Stealer Panel

The TA has also claimed that the stealer can target the applications shown below.

Figure 5 DarkCloud Stealer Functionality
Figure 5 – DarkCloud Stealer Functionality

Initial Infection

We have observed multiple spam emails that were spreading DarkCloud stealer; one example is depicted in the figure below. This email is an order invoice phishing email designed to trick the recipient into clicking on a malicious link or opening an attachment containing DarkCloud Stealer. This email appears to be from a legitimate company, such as an online retailer or a business supplier, claiming that the recipient has placed an order with them.

Figure 6 Phishing Email
Figure 6 – Phishing Email

The initial file delivered through the spam campaign is a .Net binary (SHA 256: 9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb) and acts as a dropper. It copies itself into the “UsersAppDataRoaming” directory and then creates a task scheduler entry using schtasks.exe for persistence.

The figure below shows the Task Scheduler entry created by the malware.

Figure 7 Persistence Using Task Scheduler
Figure 7 – Persistence Using Task Scheduler

Following this, the malware launches itself and loads the next level binary to the memory of a running process. The payload is loaded into memory as a VB file, as shown below.

Figure 8 VB File Loaded into Memory
Figure 8 – VB File Loaded into Memory

Technical Details

The VB file that is currently in memory is a 32-bit executable binary with SHA256, 413c9fcea027f89b9d8905ca6ae96cc099b8886fb3916876a4029e92d56fcb9b. Within the Resource section of this VB file, there is binary content that comprises a PK archive. This archive file contains an executable named “ConsoleApp1.exe,” as shown below.

Figure 9 PK archive contains ‘ConsoleApp1.exe present in the VB file Resource section.
Figure 9 – PK archive contains ‘ConsoleApp1.exe’ present in the VB file Resource section.

When executing the VB file, it extracts the “ConsoleApp1.exe” file from the PK archive and drops it in the following %appdata% path. Then, it runs the dropped executable file.

  • C:Users<Admin>AppDataRoamingMicrosoftWindowsTemplatesConsoleApp1.exe

ConsoleApp1.exe

The “ConsoleApp1.exe” file is a 32-bit .NET compiled binary that includes the source code for the DarkCloud Stealer payload in its resource directory, as shown in the figure below.

Figure 10 – ‘credentials.exe source code present in the Resource directory of
Figure 10 – ‘credentials.exe’ source code present in the Resource directory of ‘ConsoleApp1.exe’

The primary goal of the “ConsoleApp1.exe” file is to load a DarkCloud source code Stub from the project’s resource and compile it using the CompileAssemblyFromSource() method of the System.CodeDom.Compiler.CodeDomProvider class in .NET framework. The compiled binary is the payload, named “credentials.exe”, which is placed in the same directory and launched as a new process.

  • C:Users<Admin>AppDataRoamingMicrosoftWindowsTemplatescredentials.exe

The malware deletes the “credentials.exe” binary after running for 60,000 milliseconds (or 1 minute).

The image below displays the code snippet used to compile the resource stub into a binary executable through the CompileCode() method.

Figure 11 Code snippet used to compile the resource stub
Figure 11 – Code snippet used to compile the resource stub

Credentials.exe

The payload “credentials.exe” is a 32-bit .NET executable that is identified as a DarkCloud Stealer with SHA256, 33fa272ffd2eac92f2a344718fa9bf678703f8194fcfcbc499ab9fefcdab4cca.

The figure below shows the file details of “credentials.exe”.

Figure 12 – File Details of
Figure 12 – File Details of “Credentials.exe”

Once executed, “credentials.exe” begins to gather confidential information from multiple applications installed on the targeted system, after which it sends the stolen data to the Command and Control (C&C) server.

Password Recovery: Browsers & Email Clients

Stealing Login Details from GECKO Browsers

The ExecGGFHGFDute() method retrieves the saved usernames and passwords from various applications on the victim’s computer, including web browsers and email clients (such as Thunderbird).

This method iterates over each profile directory found in the Program.MozillaPaths dictionary, as shown in Figure 12, and checks for the existence of specific files such as logins.json, key4.db, signons.sqlite, and key3.db within each directory.

Figure 13 – Targeting GECKO based browsers
Figure 13 – Targeting GECKO-based browsers

If the required files are found, the function will utilize the ExtractCredentials() and decryptLogins() methods from MozillaCreds class to extract stored usernames and passwords from the respective files. The encoded username and password values are decrypted using the Triple DES algorithm. The resulting login credentials are then appended to a string variable named “Program.datas.”

The below figure shows the code snippet of functions used to extract credentials from the victim’s machine.

Figure 14 Code snippet used to extract login credentials from GECKO web browsers
Figure 14 – Code snippet used to extract login credentials from GECKO web browsers

Grab Credit Card & Login Details from CHROMIUM Browsers

The purpose of the Grab() method is to retrieve data related to user accounts and credit cards from Chromium-based web browsers (which could include more than 25 different browsers).

This method works by looping through a set of Chromium browser profiles specified in the “Program.ChromiumPaths” dictionary, as shown in Figure 15.

For each profile, it extracts and consolidates information about accounts and credit cards from the corresponding browser data files. The collected information is then added to a string variable named “Program.datas”.

Figure 15 Targeting CHROMIUM based browsers
Figure 15 – Targeting CHROMIUM-based browsers

The below figure shows the code snippet of functions used to extract credentials from the victim’s Chromium-based web browsers.

Figure 16 Code snippet used to extract login credentials from chromium web browsers
Figure 16 – Code snippet used to extract login credentials from chromium web browsers

Stealing FTP Credentials

The GetWinSCP() method obtains the saved login credentials for WinSCP (an FTP client) from the Windows registry and decrypts them. For every set of credentials, the function generates a WinSCPDecrypt object and invokes its Decrypt method to decode the password using the specified host and username.

It then formats the decrypted credentials and application name in a string format and appends the resulting string to “Program.datas.” The malware can also target FTP clients such as FileZilla, CoreFTP, and FlashFXP.

The below image shows the code snippet used to extract credentials from WinSCP.

Figure 17 code snippet used to extract credentials from WinSCP
Figure 17 – Code snippet used to extract credentials from WinSCP

Other Functionalities

As the functionalities of DarkCloud stealer can be customized using a builder. Not all binaries will perform similar stealing functions; however, based on the builder screenshot shared by TA, we infer that this stealer can have the following functionalities:

This malware can collect system information, capture screenshots, monitor clipboard activities, and retrieve cookies, messages, and contacts (163 MailMaster) from the targeted system.

It can also obtain confidential data from various sources, including VPN services such as NordVPN, messaging applications like Pidgin, and Password Managers such as Internet Explorer and Microsoft Edge vaults.

Furthermore, it can grab certain file types like TXT, XLS, XLSX, RTF, and PDF from the targeted system and access sensitive information from cryptocurrency applications. Additionally, the malware offers a crypto-swapping feature for popular digital currencies such as bitcoin, bitcoin cash, Ethereum, and ripple.

After acquiring all the confidential data from the targeted applications, the malware stores all the gathered information in the “Program.datas” variable and subsequently saves this information in a text file named “credentials.txt”. This file is located within the same directory. The final step involves the DarkCloud Stealer transmitting the exfiltrated details to the C&C server.

Conclusion

DarkCloud Stealer has been observed in various spam campaigns in 2023. It can steal sensitive information from infected devices, including passwords, credit card numbers, social security numbers, and other personal or financial information.

The malware executes in multiple stages, culminating in loading a final payload into the memory. The data exfiltration capabilities of DarkCloud stealer include the use of SMTP, Telegram, Web Panel, and FTP. Furthermore, it has been identified as a state-of-the-art malware that can customize its payload to target different applications, making it highly adaptable.

The ongoing activities of InfoStealers represent a severe threat to the security of devices, users, and businesses worldwide.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:   

Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact 

  • Don’t keep important files in common locations such as the Desktop, My Documents, etc. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • ​Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Technique Name 
Initial Access  T1566.001  Phishing
Execution  T1204 
T1053 
User Execution 
Scheduled Task/Job
Persistence  T1053  Scheduled Task/Job 
Defense Evasion  T1140 Deobfuscate/Decode Files or Information
Credential Access    T1555
T1539
T1552
T1528
Credentials from Password Stores   
Steal Web Session Cookie   
Unsecured Credentials   
Steal Application Access Token   
Discovery    T1087
T1518
T1057
T1007
Account Discovery   
Software Discovery   
Process Discovery   
System Service Discovery   
Command and Control     T1071 Application Layer Protocol   

Indicators of Compromise 

Indicators  Indicator type  Description 
5d060254a6d7eb2cdb2031e29891cb95206757a28fe0d51569eb9f7f55637ac6 SHA256  Spam email 
79b13d9a52d466a606c37b8f12b2ef7af4e9b53a911b70427c07cb73adb504a1 SHA256  Spam email 
2e60ed90aa6cefa60cc4cd968213549ddf578dcf6968d8c66366d09c7108ef56 SHA256  Malicious ZIP archive 
9bb43e190685f86937e09673de3243cbe1971ecf0eab9b75e09d0de96e9764cb SHA256  DarkCloud Stealer Loader 
413c9fcea027f89b9d8905ca6ae96cc099b8886fb3916876a4029e92d56fcb9b SHA256  VB exe
e342802bd53191559af2a23b2d11412a8fe60dc3a50e5efa1fade7067c305f55 SHA256 CUSTOM102.bin (PK file)
51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb SHA256 ConsoleApp1.exe
33fa272ffd2eac92f2a344718fa9bf678703f8194fcfcbc499ab9fefcdab4cca SHA256 DarkCloud Stealer
(Credentials.exe)

Source: https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/