DarkCloud Stealer: Inside a Sophisticated Malware Campaign Using AutoIt

Introduction

Unit 42 researchers have recently uncovered an advanced phishing campaign leveraging DarkCloud Stealer, an information-stealing malware active since 2022. This malware uses complex evasion techniques, including AutoIt scripting, to bypass security mechanisms and extract sensitive user data. Here’s a breakdown of how this stealthy malware operates and what you can do to protect your organization.

DarkCloud Stealer Targets Users and Businesses Worldwide | Cyware Alerts -  Hacker News

🔍 The Attack Chain Explained

The infection process starts with phishing emails designed to look like legitimate business communications — often themed around payments or order confirmations.

Step 1: Phishing Email

  • Victims receive emails containing either a .rar or .7z archive, or a PDF that triggers a download of the archive.
  • Inside the archive is a .jse (JavaScript Encoded) file disguised as a document.

Step 2: Script-Based Downloader

  • Executing the .jse file runs a downloader script, which contacts a remote server to retrieve and execute a Base64-encoded PowerShell script.

Step 3: Payload Deployment

The PowerShell script then delivers one of two payload types:

  • .NET Executable:
    Decrypts itself using AES or Triple DES and injects the payload into the RegAsm.exe process.
    Payload: Agent Tesla or XLoader.
  • AutoIt Executable:
    Uses obfuscated AutoIt scripts to decrypt and run shellcode.
    → Injects the final .NET payload into RegSvcs.exe.

🛑 What is DarkCloud Stealer Capable Of?

DarkCloud Stealer is a highly effective malware tool with wide-ranging capabilities:

  • Credential Theft: From web browsers, email clients, FTP apps (e.g., FileZilla), and messaging apps like Pidgin.
  • System Surveillance: Captures screenshots, clipboard contents, and system info.
  • Crypto Theft: Steals from cryptocurrency wallets and performs crypto-swapping.
  • Persistence: Installs itself into system directories and creates scheduled tasks.
  • Data Exfiltration: Sends stolen data via SMTP, Telegram, FTP, or web panels.

🧩 Why AutoIt?

AutoIt is typically used to automate Windows GUI tasks — but attackers are using it to:

  • Obfuscate Code: Makes malware harder to analyze.
  • Deploy Payloads: Runs shellcode that injects final malicious payloads into trusted processes.
  • Evade Detection: Uses direct Windows API and AutoIt API calls to blend in.

🛡️ How to Protect Against DarkCloud Stealer

To mitigate the risk of infection:

  1. Email Security
    Use advanced spam filters and threat detection tools to stop phishing emails before they reach users.
  2. User Training
    Train employees to recognize phishing attempts and avoid opening suspicious attachments or links.
  3. Endpoint Protection
    Use security software that can detect script-based threats and monitor unusual behavior.
  4. Keep Systems Updated
    Ensure all applications, operating systems, and antivirus tools are up to date.

Sources:

Leave a Comment