Focus Mode
Threat Research

TMPN (Skuld) Stealer: The dark side of open source

Securonix
TMPN (Skuld) Stealer: The dark side of open source
Skuld, also known as TMPN Stealer, is a Golang-based information-stealing malware that emerged in May 2023. It utilizes Discord webhooks for communication and is capable of stealing browser and cryptocurrency wallet data, as well as local files and system information. The malware employs various evasion techniques to avoid detection and maintain persistence on infected systems. Affected: Discord, Windows

Keypoints :

  • Skuld is based on the open-source project Skuld Stealer.
  • It uses Discord webhooks for communication.
  • The malware steals browser data, cryptocurrency wallet information, and local files.
  • It employs a UAC bypass technique to gain elevated permissions.
  • Skuld hides its presence by setting attributes to ‘hidden’ and ‘system’.
  • It adds a registry key for persistence on victim systems.
  • The malware checks for virtual machines and debuggers to evade detection.
  • It injects JavaScript payloads into Discord and cryptocurrency wallets.
  • Skuld collects extensive system information and uploads it in JSON format.
  • It targets popular cryptocurrency wallets and gaming platforms.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The malware uses Discord webhooks for command and control.
  • T1055 – Process Injection: Skuld injects JavaScript payloads into Discord and cryptocurrency wallet applications.
  • T1086 – PowerShell: The malware uses PowerShell commands to disable Windows Defender.
  • T1547.001 – Boot or Logon Autostart Execution: It adds a registry key for persistence.
  • T1012 – Query Registry: Skuld queries the registry to check for its own path and to set persistence.
  • T1083 – File and Directory Discovery: The malware searches for specific files on the system.
  • T1070.001 – Indicator Removal on Host: It attempts to hide its presence by modifying file attributes.

Indicator of Compromise :

  • [file name] loader.exe
  • [file hash] SHA256: 5a7e38a45533e0477c3868c49df16d307a3da80b97a27ac4261619ff31a219f8
  • [url] hxxps://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js
  • [url] hxxps://discord.com/api/webhooks/1272963856322527274/PGGfe9V7To17wrSy0T7qE8EpNjFXfms2KY4A421gXmXwMcrPdaeG0Z3DB2T9eYE
  • [url] hxxps://api.gofile.io/getServer
  • Check the article for all found IoCs.

Full Research: https://www.acronis.com/en-us/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source/

Tags: PERSISTENCE, WINDOWS, PAYLOAD, DISCOVERY, EMAIL, PASSWORD, BROWSER