On June 13, 2023, security researchers at Trellix reported the details of a new information stealing malware written in Golang that they dubbed “Skuld.”
Context
Since April 2023, Trellix researchers observed the malware active against unspecified targets in North America, Europe, and Southeast Asia.
Technical Details
According to the report, Skuld attempts to steal sensitive information by searching for “data stored in applications such as Discord and web browsers, information from the system, and files stored in the victim’s folders. Some samples even include a module to steal cryptocurrency assets, which we believe is still in development.”
Golang Prevalence
The use of Golang to write malware is less common than other major programming languages, but is gradually increasing in popularity among threat actors. Trellix researchers note that Golang may be gaining popularity among threat actors “due to simplicity, efficiency, and cross-platform compatibility, which lets malware creators target a wide range of operating systems, broadening their potential victim pool. Additionally, Golang’s compiled nature lets malware authors produce binary executables that are more challenging to analyze and reverse engineer.”
YARA Rules
Trellix researchers provided the following YARA rule:
rule mal_skuld_stealer {
meta:
author = “Ernesto Fernandez (L3cr0f) | Trellix ARC”
threat_name = “Skuld”
filetype = “Win64 EXE”
date = “2023-05-15”
description = “Yara rule for hunting Skuld stealer.”
strings:
$a1 = “skuld” nocase
$a2 = “deathined” nocase
// Discord exfiltration
$b1 = “https://discord.com/api/webhooks/”
$b2 = “avatar_url”
$b3 = “icon_url”
// Gofile exfiltration
$c1 = “https://api.gofile.io/getServer”
$c2 = “gofile.io/uploadFile”
// Browser DBs
$g1 = “masterkey_db”
$g2 = “login_db”
$g3 = “download_db”
$g4 = “history_db”
$g5 = “card_db”
$h1 = { 70 61 73 73 77 6F 72 64 } // password
$h2 = { 72 64 2D 63 68 65 63 6B } // rd-check
condition:
uint16(0) == 0x5A4D and
uint16(0) == 0x5A4D and
filesize > 5MB and
(
all of ($a*) or
(
(
2 of ($b*) or
all of ($c*)
) and
3 of ($g*)
) or (
3 of ($g*) and
$h2 in (@h1..@h1+0x20)
)
)
}
IOCs
Trellix researchers provided the following indicators of compromise (IOCs):
Indicator | Type |
4c0af2782e7e02aba3cc182eb485bdd30f22 | SHA256 |
421a57666d85b8c956634528ca128283a13 | SHA256 |
332911747cb1e808562b431b0519bed11fd | SHA256 |
2b5bce8623468a2e58c6cc817c1556dd1ef6 | SHA256 |
20c53166133e5bc0a6dad39ba6a754a878c0 | SHA256 |
13c25ddbaed8579a764b143446a4c2910b5 | SHA256 |
fefd9249dbafebc5c7717413a63cc9945eee4 | SHA256 |
f8e2c18619f3701542add6f8f822e3d7957b4 | SHA256 |
f7514b93fd3ee6d4df231f2eed022a98d98a5 | SHA256 |
dee98d99f9f2915dc8ed7e46606e88f844322 | SHA256 |
d98d61496600aadf95235e81c54752c3ddcd | SHA256 |
d3ed2f5e3568fb77600894b49da9343243dc4 | SHA256 |
d29e69c321d2c5f2e0b4e284b9fb399a4b7bf | SHA256 |
d11efad7ebe520ccc9f682003d76ebfabd5d18 | SHA256 |
bfb57e149903bc7c75cbe1dd57bbee030bdfad | SHA256 |
bea3b5a31d10069bb70561568349a5458256 | SHA256 |
bdcdd076ccc5f73db7f93dbc298fc48147a04b7 | SHA256 |
b8ea26cc228123ecb77b46d325f0ec34dd5c9b | SHA256 |
b786df58db15f749ca922db9667417118596166 | SHA256 |
b31290a1b14884b1ac2bb00aff079ac365857cb | SHA256 |
a211d8ee2767c83de94cc2b4e07838dd1ea639 | SHA256 |
9b6705f27d0d77b766ed5d6267a8b9992081a7 | SHA256 |
848f0f411cad90e6c7b6e64b27ffb25c81c6bf06 | SHA256 |
7ca99ab7123d955e31b001e930231ddfe437b6 | SHA256 |
65ae55466beec02a40c9df750a9a08f44b80913 | SHA256 |
5dfe60670571378e6ddfaeb30804d5bd4a254ed | SHA256 |
hxxps://discord[.]com/api/webhooks/110115110 | URL (Discord Webhook) |
hxxps://discord[.]com/api/webhooks/963128514 | URL (Discord Webhook) |
hxxps://discord[.]com/api/webhooks/110112063129 | URL (Discord Webhook) |
TTPs
Trellix researchers provided the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs):
Tactical Goal | ATT&CK Technique (Technique ID) |
Execution | T1204.002 Malicious File |
T1059.007 Command and Scripting Interpreter: JavaScript | |
Defense Evasion | T1497 Virtualization/Sandbox Evasion: System Checks |
T1562.001 Impair Defenses: Disable or Modify Tools | |
T1622 Debugger Evasion | |
Credential Access | T1555.003 Credentials from Password Stores: Credentials from Web Browsers |
T1111 Multi-Factor Authentication Interception | |
T1539 Steal Web Session Cookie | |
Discovery | T1033 System Owner/User Discovery |
T1012 Query Registry | |
T1057 Process Discovery | |
T1083 File and Directory Discovery | |
T1217 Browser Information Discovery | |
T1082 System Information Discovery | |
T1016 System Network Configuration Discovery | |
Collection | T1113 Screen Capture |
T1115 Clipboard Data | |
T1560 Archive Collected Data | |
Command and Control | T1071.001 Application Layer Protocol: Web Protocols |
T1573.002 Encrypted Channel: Asymmetric Cryptography | |
T1102.003 Web Service: One-Way Communication | |
Exfiltration | T1567 Exfiltration Over Web Service |
T1020 Automated Exfiltration | |
Impact | T1489 Service Stop |
