Introduction
Unit 42 researchers have recently uncovered an advanced phishing campaign leveraging DarkCloud Stealer, an information-stealing malware active since 2022. This malware uses complex evasion techniques, including AutoIt scripting, to bypass security mechanisms and extract sensitive user data. Here’s a breakdown of how this stealthy malware operates and what you can do to protect your organization.
🔍 The Attack Chain Explained
The infection process starts with phishing emails designed to look like legitimate business communications — often themed around payments or order confirmations.
Step 1: Phishing Email
- Victims receive emails containing either a
.rar
or.7z
archive, or a PDF that triggers a download of the archive. - Inside the archive is a
.jse
(JavaScript Encoded) file disguised as a document.
Step 2: Script-Based Downloader
- Executing the
.jse
file runs a downloader script, which contacts a remote server to retrieve and execute a Base64-encoded PowerShell script.
Step 3: Payload Deployment
The PowerShell script then delivers one of two payload types:
- .NET Executable:
Decrypts itself using AES or Triple DES and injects the payload into theRegAsm.exe
process.
→ Payload: Agent Tesla or XLoader. - AutoIt Executable:
Uses obfuscated AutoIt scripts to decrypt and run shellcode.
→ Injects the final .NET payload intoRegSvcs.exe
.
🛑 What is DarkCloud Stealer Capable Of?
DarkCloud Stealer is a highly effective malware tool with wide-ranging capabilities:
- Credential Theft: From web browsers, email clients, FTP apps (e.g., FileZilla), and messaging apps like Pidgin.
- System Surveillance: Captures screenshots, clipboard contents, and system info.
- Crypto Theft: Steals from cryptocurrency wallets and performs crypto-swapping.
- Persistence: Installs itself into system directories and creates scheduled tasks.
- Data Exfiltration: Sends stolen data via SMTP, Telegram, FTP, or web panels.
🧩 Why AutoIt?
AutoIt is typically used to automate Windows GUI tasks — but attackers are using it to:
- Obfuscate Code: Makes malware harder to analyze.
- Deploy Payloads: Runs shellcode that injects final malicious payloads into trusted processes.
- Evade Detection: Uses direct Windows API and AutoIt API calls to blend in.
🛡️ How to Protect Against DarkCloud Stealer
To mitigate the risk of infection:
- Email Security
Use advanced spam filters and threat detection tools to stop phishing emails before they reach users. - User Training
Train employees to recognize phishing attempts and avoid opening suspicious attachments or links. - Endpoint Protection
Use security software that can detect script-based threats and monitor unusual behavior. - Keep Systems Updated
Ensure all applications, operating systems, and antivirus tools are up to date.