DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

SUMMARY :

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins with a phishing email containing a RAR archive or a PDF that downloads the archive. The archive contains an AutoIt-compiled executable that decrypts and executes the final DarkCloud Stealer payload. The malware steals sensitive data including browser passwords, credit card information, and email client credentials. It employs anti-analysis techniques and achieves persistence through registry modifications. The campaign has targeted various sectors, with a focus on government organizations, particularly in Poland.

OPENCTI LABELS :

phishing,infostealer,credential theft,autoit,anti-analysis,multi-stage payload,darkcloud stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt