New “Skuld” Infostealer Malware Written in Golang Leveraged in North America, Europe, and Southeast Asia

Trellix researchers discover a new infostealer malware written in Golang.

On June 13, 2023, security researchers at Trellix reported the details of a new information stealing malware written in Golang that they dubbed “Skuld.”

Context

Since April 2023, Trellix researchers observed the malware active against unspecified targets in North America, Europe, and Southeast Asia.

Technical Details

According to the report, Skuld attempts to steal sensitive information by searching for “data stored in applications such as Discord and web browsers, information from the system, and files stored in the victim’s folders. Some samples even include a module to steal cryptocurrency assets, which we believe is still in development.”

Golang Prevalence

The use of Golang to write malware is less common than other major programming languages, but is gradually increasing in popularity among threat actors. Trellix researchers note that Golang may be gaining popularity among threat actors “due to simplicity, efficiency, and cross-platform compatibility, which lets malware creators target a wide range of operating systems, broadening their potential victim pool. Additionally, Golang’s compiled nature lets malware authors produce binary executables that are more challenging to analyze and reverse engineer.”

YARA Rules

Trellix researchers provided the following YARA rule:

rule mal_skuld_stealer {

  meta:

     author = “Ernesto Fernandez (L3cr0f) | Trellix ARC”

     threat_name = “Skuld”

     filetype = “Win64 EXE”

     date = “2023-05-15”

     description = “Yara rule for hunting Skuld stealer.”

 

  strings:

     $a1 = “skuld” nocase

     $a2 = “deathined” nocase

 

     // Discord exfiltration

     $b1 = “https://discord.com/api/webhooks/”

     $b2 = “avatar_url”

     $b3 = “icon_url”

 

     // Gofile exfiltration

     $c1 = “https://api.gofile.io/getServer”

     $c2 = “gofile.io/uploadFile”

 

     // Browser DBs

     $g1 = “masterkey_db”

     $g2 = “login_db”

     $g3 = “download_db”

     $g4 = “history_db”

     $g5 = “card_db”

 

     $h1 = { 70 61 73 73 77 6F 72 64 } // password

     $h2 = { 72 64 2D 63 68 65 63 6B } // rd-check

 

  condition:

     uint16(0) == 0x5A4D and

     uint16(0) == 0x5A4D and

     filesize > 5MB and

     (

       all of ($a*) or

       (

         (

           2 of ($b*) or

           all of ($c*)

         ) and

         3 of ($g*)

       ) or (

         3 of ($g*) and

         $h2 in (@h1..@h1+0x20)

       )

     )

}

IOCs

Trellix researchers provided the following indicators of compromise (IOCs):

Indicator

Type

4c0af2782e7e02aba3cc182eb485bdd30f22
707a7669cf6609e2619bf4f54b2d

SHA256

421a57666d85b8c956634528ca128283a13
c4cb0730d3d498b4658b3ea4b3015

SHA256

332911747cb1e808562b431b0519bed11fd
844fd7a50fce37d8b4fe5daa7b235

SHA256

2b5bce8623468a2e58c6cc817c1556dd1ef6
9cb184083a2d8d68a1bb78cbc2d2

SHA256

20c53166133e5bc0a6dad39ba6a754a878c0
4c2697400b98cfb0fa5fe2f8b06d

SHA256

13c25ddbaed8579a764b143446a4c2910b5
605c78951416f303f000133e56b26

SHA256

fefd9249dbafebc5c7717413a63cc9945eee4
006d85fc77b4b4e10587e30aaa7

SHA256

f8e2c18619f3701542add6f8f822e3d7957b4
1918d1a1bc03e80622e92afdc41

SHA256

f7514b93fd3ee6d4df231f2eed022a98d98a5
18b9ff23c960845d2dd215d4694

SHA256

dee98d99f9f2915dc8ed7e46606e88f844322
32dd329e0283b3ce4e45f54aae4

SHA256

d98d61496600aadf95235e81c54752c3ddcd
1ea3a40ba9eb8978b27f9638f7ee

SHA256

d3ed2f5e3568fb77600894b49da9343243dc4
68d9aa661b4fcba60540445f3ec

SHA256

d29e69c321d2c5f2e0b4e284b9fb399a4b7bf
4628916075ab9039be895660626

SHA256

d11efad7ebe520ccc9f682003d76ebfabd5d18
b746a801fefbf04317f7ae7505

SHA256

bfb57e149903bc7c75cbe1dd57bbee030bdfad
b6023db37bb2fe163e4bc06bd4

SHA256

bea3b5a31d10069bb70561568349a5458256
4c21d2a835f65073d6f1d8662eec

SHA256

bdcdd076ccc5f73db7f93dbc298fc48147a04b7
55fc12fda872d11c6857b512f

SHA256

b8ea26cc228123ecb77b46d325f0ec34dd5c9b
37e3e4ec492a4bf51840218025

SHA256

b786df58db15f749ca922db9667417118596166
83b8a64390d221fb3af01493c

SHA256

b31290a1b14884b1ac2bb00aff079ac365857cb
c94a489a5d361f9e140a54dff

SHA256

a211d8ee2767c83de94cc2b4e07838dd1ea639
7ecde15fe0ed3211fe7959eb69

SHA256

9b6705f27d0d77b766ed5d6267a8b9992081a7
aa9c1dc2526c524bdf10bd7204

SHA256

848f0f411cad90e6c7b6e64b27ffb25c81c6bf06
5c1cd0f9cc2ca413867bc96a

SHA256

7ca99ab7123d955e31b001e930231ddfe437b6
3890263b984454538b0ab47135

SHA256

65ae55466beec02a40c9df750a9a08f44b80913
7437e20eeeaa30fd7532ea37b

SHA256

5dfe60670571378e6ddfaeb30804d5bd4a254ed
de4269e75afb4b6ce8995d582

SHA256

hxxps://discord[.]com/api/webhooks/110115110
6052145214/BIaHrwzWkurP1ifNTfI0S-nV_adpU3
L7CtHkZgsoxNh0xWIhQpjX2fdzD9kB7BDNYQi7

URL (Discord Webhook)

hxxps://discord[.]com/api/webhooks/963128514
779959316/ruqcIVO-IzGEWVxFyDIITM7YCzbyrn
mAu55FnFdc4inoDqbx2o3dSOjAkc1lGOf9ytAf

URL (Discord Webhook)

hxxps://discord[.]com/api/webhooks/110112063129
6237639/mesriMSa71vT7Vf_chsUKzwpQEbKiBcK1y1
GiKUCoC360ZH8EuTmJQKMDSmB-LGAqbJw

URL (Discord Webhook)

TTPs

Trellix researchers provided the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs):

Tactical Goal

ATT&CK Technique (Technique ID)

Execution

T1204.002 Malicious File

T1059.007 Command and Scripting Interpreter: JavaScript

Defense Evasion

T1497 Virtualization/Sandbox Evasion: System Checks

T1562.001 Impair Defenses: Disable or Modify Tools

T1622 Debugger Evasion

Credential Access

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

T1111 Multi-Factor Authentication Interception

T1539 Steal Web Session Cookie

Discovery

T1033 System Owner/User Discovery

T1012 Query Registry

T1057 Process Discovery

T1083 File and Directory Discovery

T1217 Browser Information Discovery

T1082 System Information Discovery

T1016 System Network Configuration Discovery

Collection

T1113 Screen Capture

T1115 Clipboard Data

T1560 Archive Collected Data

Command and Control

T1071.001 Application Layer Protocol: Web Protocols

T1573.002 Encrypted Channel: Asymmetric Cryptography

T1102.003 Web Service: One-Way Communication

Exfiltration

T1567 Exfiltration Over Web Service

T1020 Automated Exfiltration

Impact

T1489 Service Stop

More Recent Blog Posts