CTI Roundup: Skuld Malware Steals Discord Data From Windows PCs
by Tanium CTI
June 21, 2023
https://www.tanium.com/blog/skuld-malware-steals-discord-data-cyber-threat-intelligence-roundup/
| Remark |
|---|
| China |
| DoH |
| Linux |
| malware |
| Golang |
| Skuld malware |
| Discord |
| browser data |
| Windows |
| phishing |
| infostealer |
| malware strain |
| CTI |
| ChamelGang |
| ChamelDOH |
| implant |
| backdoor |
| Positive Technologies https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/ |
| Windows |
| Stairwell |
| TTPs |
| IoCs |
| DNS over HTTPS tunneling |
| C++ |
| base64 |
| subdomains |
| DNS tunneling |
| gather system information |
| file upload |
| file download |
| file deletion |
| file execution |
| system call |
| JSON |
| reconnaissance |
| attribution |
| attribution due to malicious domain reuse |
| Discord |
| Trellix |
| Europe |
| Southeast Asia |
| United States |
| Creal Stealer |
| Luna Grabber |
| BlackCap Grabber |
| Telegram |
| Telegram group named the same as alleged Skuld developer |
| cybercrime |
| uses Golang 1.20.3, and a wide variety of libraries |
| regular expression |
| path |
| map structure |
| modular malware |
| fake error message |
| malware checks for security software, terminating if it is being observed |
| virtual machine detection |
| virtual machine detection by checking screen resolution |
| virtual machine detection by checking amount of RAM (more than 2Gb) |
| virtual machine detection by checking registry keys containing video or disk information. If they are virtualbox or vmware, terminate. |
| VMWare |
| VirtualBox |
| enumerates processes, comparing results to a blocklist. if encountered, malware terminates. |
| JavaScript |
| inject JavaScript into discord_desktop_core |
| Better Discord security features |
| malware corrupts BetterDiscord\data\betterdiscord.asar |
| ByDeathined |
| MFA |
| Steals Discord backup MFA codes |
| Chromium |
| Gecko |
| Steals credentials and info from local data, login data, history, downloads, and session tokens |
| archive |
| compression |
| malware stores stolen browser data in browsers.zip |
| GitHub |
| Deathined GitHub account |
| Reddit account Deathined |
| Tumblr account, Deatined |
| Twitter account, @deathined |
| Carrd account linking to @deathined Twitter account |
| Golang gaining popularity with malware authors |
| Malware authors leverage strengths of Golang |
| phishing https://bolster.ai/blog/brand-impersonation-scam |
| phishing; impersonating over 100 apparel, footwear, clothing brands to trick users to enter credentials + financial information |
| BleepingComputer https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-uses-6-000-sites-to-impersonate-100-brands/ |
| Nike, Puma, Asics, Vans, Adidas, Columbia |
| phishing campaign used over 3000 unique domains and 6000 sites |
| Autonomous System Number (ASN) AS48950 |
| IP address |
| Packet Exchange Limited |
| Global Colocation Limited |
| reputation |
| Alibaba.com |
| Some domains were aged, some were new |
| Google SEO phishing |
| TLD |
| name of brand, name of city, generic TLD pattern to domains |
| recommendation: confirm legitimacy of domains |
| recommendation: if its too good to be true, it probably is. |
| recommendation: businesses should monitor and protect against impersonation |
| recommendation: user awareness |
| artificial intelligence |
| machine learning |
| social engineering |
| machine learning model |