DarkCloud Stealer Uses Weaponized .TAR Archives to Target Organizations and Steal Passwords

A recent cyberattack campaign leveraging the DarkCloud stealer has been identified, targeting Spanish companies and local offices of international organizations across various industries.

The attackers are spoofing a legitimate Spanish company specializing in mountain and skiing equipment to deliver malicious payloads via email.

The emails, which use billing-themed social engineering tactics, feature subjects such as Importe: 3.500,00 EUR and include a weaponized .TAR archive file named Importe3.50000EUR_Transfer.tar.

Within the archive lies a DarkCloud stealer binary designed to exfiltrate sensitive data.

The campaign has been observed targeting sectors such as technology, legal, finance, healthcare, energy, food, chemical, government, manufacturing, and packaging.

This marks an escalation in the activity of the DarkCloud stealer, which has been in use since at least 2022 but has seen increased deployment in recent months.

Capabilities of the DarkCloud Stealer

DarkCloud is a commodity stealer equipped with advanced features that make it a potent tool for cybercriminals.

Its capabilities include capturing keystrokes, clipboard content, and screenshots; recovering passwords from popular browsers such as Chrome, Opera, Yandex, and 360 Browser; extracting cookies and saved credentials; and stealing sensitive files from email clients and cryptocurrency applications.

The malware also hijacks wallet addresses for cryptocurrencies like Bitcoin (BTC), Ethereum (ETH), and Ripple (XRP).

In addition to these functionalities, DarkCloud exfiltrates documents in formats such as .txt, .xls, .xlsx, .pdf, and .rtf.

It employs multiple channels for data exfiltration, including SMTP email protocols, Telegram messaging services, and FTP servers.

To evade detection by security systems, the malware incorporates anti-virtual machine checks, anti-debugging measures, and fake API calls to disguise its behavior.

Protection Measures

According to the Report, Broadcom’s Symantec division has implemented robust protection mechanisms to counter this threat.

Symantec’s security solutions identify DarkCloud-related malicious indicators through multiple layers of defense:

• Carbon Black-based Protection: VMware Carbon Black products block malicious activities using policies that prevent known malware types from executing while leveraging cloud-based reputation services for enhanced detection.
• Email Security: Symantec’s email security products provide coverage against this threat. Additionally, Email Threat Isolation (ETI) technology adds an extra layer of protection by isolating potentially harmful email content before it reaches users.
• File-Based Detection: File-based signatures such as Trojan.Gen.MBT ensure that malicious files are identified and blocked effectively.
• Machine Learning Integration: Advanced machine learning heuristics (Heur.AdvML.B) enable proactive detection of suspicious activities associated with DarkCloud stealer campaigns.

The increasing prevalence of attacks utilizing commodity stealers like DarkCloud underscores the importance of multi-layered security strategies for organizations across all industries.

By employing advanced detection techniques and leveraging machine learning models alongside traditional security measures, Symantec aims to mitigate risks posed by evolving cyber threats.

This campaign highlights the need for vigilance among businesses operating in targeted sectors to protect themselves against sophisticated phishing tactics and data theft attempts.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!