New Skuld Malware Based on Golang Steals Discord and Browser Data from Windows PCs
A new Golang-based information thief calls Debt has compromised Windows systems across Europe, Southeast Asia, and the US
“This new malware strain attempts to steal sensitive information from its victims,” Trellix researcher Ernesto Fernández Provecho said in Tuesday’s analysis. “To accomplish this task, it searches for data stored in applications such as Discord and web browsers; information from the system and files stored in the victim’s folder.”
Skuld, which shares an overlap with publicly available thieves like Creal Thief, Luna GraberAnd BlackCap Grabberis the work of an online developer alias Deathined on various social media platforms such as GitHub, Twitter, Reddit, and Tumblr.
Also spotted by Trellix is a Telegram group called deathinews, which suggests this online channel could be used to promote the offering in the future as a service for other threat actors.
The malware, once executed, checks to see if it is running in a virtual environment in an attempt to thwart analysis. It further extracts the list of running processes and compares them with a predefined block list. If any process matches the one in the block list, Skuld proceeds to kill the matching process instead of terminating itself.
In addition to collecting system metadata, this malware has the ability to harvest cookies and credentials stored on web browsers as well as files located in Windows user profile folders, including Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive.
Artifacts analyzed by Trellix show that it was engineered to tamper with legitimate files associated with Better Discord and Discord Token Protector and inject JavaScript code into the Discord app to suck up backup code, mirroring a similar technique to other Rust-based infostealers recently documented. by Trend Micro.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The selected Skuld sample also incorporates a clipper module for altering clipboard content and stealing cryptocurrency assets by swapping wallet addresses, which the cybersecurity firm theorizes it may be under development.
Data evasion is achieved through actor-controlled Discord webhooks or the Gofile upload service. In the latter case, the reference URL to steal the uploaded ZIP file containing the stolen data is sent to the attacker using the same Discord webhook function.
Development points to the steady adoption of the Go programming language among threat actors due to its “simplicity, efficiency, and cross-platform compatibility”, making it an attractive vehicle for targeting multiple operating systems and expanding their victim pool.
“In addition, Golang’s compiled nature allows malware authors to produce binary executables that are more challenging to analyze and reengineer,” said Fernández Provecho. “This makes it difficult for security researchers and traditional anti-malware solutions to detect and mitigate these threats effectively.”
