From Phishing to Payload: How DarkCloud Stealer is Targeting Financial Organizations
Summary:
Researchers at CyberProof have observed a recent uptick in DarkCloud Stealer attacks targeting financial companies. These attacks initiate with payment invoice-related phishing emails containing malicious RAR attachments, which, once opened, execute a VBScript file that further initiates a PowerShell command. The command downloads a hidden loader payload embedded within a JPG image, which in turn decrypts and executes the final binary, DarkCloud Stealer. For its part, DarkCloud is designed to steal sensitive data, including login credentials from browsers, email clients, and FTP clients, which is then exfiltrated via FTP and SMTP protocols to attacker-controlled domains.
Security Officer Comments:
Infostealers like DarkCloud can pave the way for follow-up attacks and enable actors to move laterally across the targeted network through the use of compromised credentials. To ensure DarkCloud remains undetected, the malware employs techniques like process hollowing, wherein it will inject itself into legitimate Windows processes such as MSBuild.exe and mtstocom.exe. DarkCloud is also capable of maintaining persistent access to targeted systems by modifying the Windows registry keys, enabling it to run every time the user logs in. Furthermore, the malware connects to Domain Generation Algorithm domains to evade detection and control. Instead of relying on static domains that can be blocked, DarkCloud constantly shifts its C2 infrastructure, ensuring C2 communication is stable even if one of its domains is taken down.
Suggested Corrections:
https://www.cyberproof.com/blog/darkcloud-stealer-targets-financial-organizations/
Researchers at CyberProof have observed a recent uptick in DarkCloud Stealer attacks targeting financial companies. These attacks initiate with payment invoice-related phishing emails containing malicious RAR attachments, which, once opened, execute a VBScript file that further initiates a PowerShell command. The command downloads a hidden loader payload embedded within a JPG image, which in turn decrypts and executes the final binary, DarkCloud Stealer. For its part, DarkCloud is designed to steal sensitive data, including login credentials from browsers, email clients, and FTP clients, which is then exfiltrated via FTP and SMTP protocols to attacker-controlled domains.
Security Officer Comments:
Infostealers like DarkCloud can pave the way for follow-up attacks and enable actors to move laterally across the targeted network through the use of compromised credentials. To ensure DarkCloud remains undetected, the malware employs techniques like process hollowing, wherein it will inject itself into legitimate Windows processes such as MSBuild.exe and mtstocom.exe. DarkCloud is also capable of maintaining persistent access to targeted systems by modifying the Windows registry keys, enabling it to run every time the user logs in. Furthermore, the malware connects to Domain Generation Algorithm domains to evade detection and control. Instead of relying on static domains that can be blocked, DarkCloud constantly shifts its C2 infrastructure, ensuring C2 communication is stable even if one of its domains is taken down.
Suggested Corrections:
- Malicious Attachments: Watch for emails with RAR attachments, especially those with suspicious file names like “Proof of Payment.rar.”
- VBE/VBS/JS File Execution: Monitor for the execution of VBScript (.vbs), VBE (.vbe), or JavaScript (.js) files, particularly if they are launched from temporary folders or Outlook’s content folder.
- Process Injection: Review EDR alerts related to process injection which is typical in case of infostealers.
- Suspicious Outbound Connections: Block outbound connections to suspicious TLDs like .shop, .xyz, info, .net etc. These are typically seen in infostealer campaigns. We advice you to check for the source file context that leads to such outbound connections.
- Credential Access: Use the provided hunting queries to detect processes other than msedge.exe or chrome.exe attempting to access browser login data files (Login Data). This is a strong sign of credential theft.
- Stay Ahead: Keep your CTI feeds and hunting queries updated to stay ahead of commodity malware attacks.
https://www.cyberproof.com/blog/darkcloud-stealer-targets-financial-organizations/