Uncovering DarkCloud Infostealer Attacks on the Finance Sector

DarkCloud Stealer has emerged as a high-impact credential stealer, observed in phishing campaigns distributing malicious .rar attachments. This campaign leverages multi-stage infection tactics using PowerShell scripts, .NET loaders hidden inside image files, and process injection to evade detection and exfiltrate sensitive data. The attack is characterized by its precision in targeting Windows environments and browser-stored credentials, representing a high-severity threat to financial networks worldwide.

Severity Level: High

Threat Details

1. Initial Access & Delivery:

• Method: Phishing emails with malicious .RAR attachments
• Example Attachment Name: Proof of Payment.rar
• Contained File: VBScript (Proof of Payment.vbe) that executes using wscript.exe

2. Execution Chain:

• VBScript Execution triggers PowerShell, which decodes base64 content.
• PowerShell downloads a malicious JPG (universe-1733359315202-8750.jpg) containing a .NET DLL loader.
• The DarkCloud Loader is extracted from the image using [Reflection.Assembly]::Load() and executed via .Invoke().
• The loader maintains persistence by copying .js files and modifying registry Run keys.
• It then downloads and decrypts the DarkCloud Stealer main payload, which runs in memory.

3. Post-Execution Behavior:

• DarkCloud Stealer main payload is injected into trusted processes like MSBuild.exe and mtstocom.exe to evade detection and execute in memory.
• Drops disguised executable M3hd0pf.exe in AppData\Roaming\Windows Multimedia Platform.
• Establishes persistence via registry Run keys to execute the masqueraded process.
• Harvests credentials from Chrome and Edge by accessing login data through unauthorized processes.
• Exfiltrates data using FTP and SMTP protocols to attacker-controlled domains.

Recommendations

1. Watch for emails with RAR attachments, especially those with suspicious file names like “Proof of Payment.rar.”
2. Monitor access to the Edge or Chrome browser credential storage locations. Flags access when the initiating process is not the legitimate browser executables.
3. Set up detections for unusual FTP or SMTP traffic from endpoints, especially to dynamic or DGA-style domains.
4. Monitor and alert on .vbe, .vbs, and .js files executed from Temp or Outlook directories using wscript.exe or cscript.exe.
5. Block outbound connections to suspicious TLDs like .shop, .xyz, info, .net etc. These are typically seen in infostealer campaigns. It is advised to check for the source file context that leads to such outbound connections.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/67903f74c1d3af192b2a4e75ceaf86a79be2519a238f9b2c02bf7ce135e7e207/iocs

Source:

• https://www.cyberproof.com/blog/darkcloud-stealer-targets-financial-organizations/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.