Cybersecurity researchers have noticed an uptick in the use of the Go programming language by threat actors in developing malware. Skuld infostealer is the latest iteration discovered by Trellix, which substantiates this fact.
According to a report by Ernesto Fernández Provecho from Trellix Advanced Research Center, a new infostealing malware, dubbed Skuld, is targeting Windows-based systems worldwide. It is capable of stealing sensitive data from web browsers and Discord accounts.
Skuld Malware Analysis
Right after execution, Skuld looks for data from Discord accounts or web browsers, mainly searching files stored in folders. It especially locates financial data because some samples Trellix examined included an evolving module capable of stealing cryptocurrency wallets’ data.
Furthermore, Skuld checks whether it is running in a virtual setup through three different techniques.
- First- check for the system’s screen resolution. If it isn’t higher than 200×200 pixels, it assumes the system is running in a virtual environment.
- Second- It checks for the total RAM, which should be over 2,000,000,000 bytes/1.86 GB.
- Third- It checks the various registry keys linked with the system’s video and disk information, and if any of them contain information about Virtual Box or VMware, the application terminates.
If a Windows device is confirmed, it extracts several running processes to be compared against a pre-defined blocklist for matching. The list comprises Username, PC name, HWID, and Public IP address.
If a match is found, the malware terminates the matched process instead of ending itself. It exfiltrates data through an actor-controlled Discord webhook. It may also use the Gofile upload service to steal the uploaded ZIP file through a reference link. The stolen data is sent to the attacker via the same Discord webhook.
Golang-based Skuld has Traces of Different Malware
Further probing revealed that its developer, Deathined, based this infostealer on open-source malware samples/projects such as BlackCap Grabber, Creal Stealer, and Luna Grabber and built it on Golang 1.20.3. The author used multiple libraries for its numerous support tasks.
Researchers noted that the malware developer had created accounts on GitHub, Twitter, Tumblr, Reddit, and other social media platforms, supposedly for Skuld’s promotion. Trellix researchers also discovered a Telegram group called Deathinews, where the author might offer Skuld for sale to other cybercriminals.
Skuld Capabilities
Skuld info stealer can collect system metadata, harvest cookies and credentials from web browsers, and looks for files in Windows PC’s user profile folders, e.g., Desktop, Documents, OneDrive, Music, Videos, and Pictures.
Furthermore, it can corrupt authentic files from Discord Token Protector and Better Discord and inject JavaScript code into the Discord app to steal backup codes. A clipper module was also found in Skuld samples that can modify clipboard content. Moreover, it can swap wallet addresses with attackers to steal cryptocurrency.