A new Golang-based information stealer called debt Compromised Windows systems across Europe, Southeast Asia, and the US
“This new malware strain seeks to steal sensitive information from victims,” Trellix researcher Ernesto Fernandez Probecho said in an analysis on Tuesday. “To perform this task, it searches for data stored in applications such as Discord and web browsers, information from the system, and files stored in the victim’s folders.”
Duplicating publicly available stealers such as Creal Stealer, Luna Grabber, and BlackCap Grabber, Skuld is the work of a developer who operates under the online alias Deathined on various social media platforms such as GitHub, Twitter, Reddit, and Tumblr.
Trellix also discovered a Telegram group named deathnews. This indicates that these online means may be used to advertise this service as a service for other threat actors in the future.
When the malware runs, it checks to see if it is running in a virtual environment to thwart analysis. Additionally, it extracts the list of running processes and compares it with a predefined blocklist. If there is a process that matches a process present in the blocklist, Skuld will terminate the matching process instead of terminating itself.
In addition to collecting system metadata, the malware also collects cookies and credentials stored in web browsers and files residing in Windows user profile folders such as Desktop, Documents, Downloads, Photos, Music, Videos, and OneDrive. It has the ability to collect.
Artifacts analyzed by Trellix indicate that they are designed to corrupt legitimate files associated with Better Discord and Discord Token Protector and inject JavaScript code into the Discord app to siphon backup codes. This mirrors a technique similar to another Rust-based information stealer recently documented by Trend Micro. .
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
Some Skuld samples also include a clipper module to steal cryptocurrency assets by altering the contents of the clipboard and exchanging wallet addresses, which the cybersecurity firm said is under development. I’m theorizing.
Data extraction is done using an attacker-controlled Discord webhook or Gofile upload service. In the latter case, using the same Discord webhook functionality of hers, the attacker is sent a referral URL to steal the uploaded ZIP file containing the stolen data.
This development suggests that the Go programming language has seen steady adoption among threat actors thanks to its “simplicity, efficiency, and cross-platform compatibility”, thereby targeting multiple operating systems and expanding victim pools. He points out that it has become an attractive means of expansion.
“In addition, Golang’s compiled nature allows malware authors to create binary executables that are more difficult to analyze and reverse engineer,” Fernández Provecho noted. “This makes it difficult for security researchers and traditional antimalware solutions to effectively detect and mitigate these threats.”
