Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins with a phishing email containing a RAR archive or a PDF that downloads the archive. The archive contains an AutoIt-compiled executable that decrypts and executes the final DarkCloud Stealer payload. The malware steals sensitive data including browser passwords, credit card information, and email client credentials. It employs anti-analysis techniques and achieves persistence through registry modifications. The campaign has targeted various sectors, with a focus on government organizations, particularly in Poland. Author: AlienVault
Related Tags:
DarkCloud Stealer
anti-analysis
T1566.001
T1555
T1528
Poland
T1539
T1552
T1518
Associated Indicators:
BF3B43F5E4398AC810F005200519E096349B2237587D920D3C9B83525BB6BAFC
1269C968258999930B573682699FE72DE72D96401E3BEB314AE91BAF0E0E49E8
30738450F69C3DE74971368192A4A647E4ED9C658F076459E42683B110BAF371