CTI Roundup: Skuld Malware Steals Discord Data From Windows PCs

This week, CTI breaks down a new report detailing the latest activity attributed to the China-linked threat group ChamelGang, which is actively targeting Linux devices. Next, CTI investigates an info-stealing malware strain known as Skuld. Finally, CTI wraps things up with an overview of a massive phishing campaign that was recently discovered by researchers at Bolster.

1. Chinese hackers use DNS-over-HTTPS for Linux malware communication

A new report from Stairwell exposes the operations of the China-linked threat group ChamelGang, which is infecting Linux devices with a previously undocumented implant dubbed ChamelDOH. The backdoor enables communication between compromised systems and the attackers’ devices via the DNS-over-HTTPs protocol.

Positive Technologies first documented ChamelGang’s operations back in September 2021. However, that report only focused on the threat group’s use of a Windows toolkit. Stairwell’s new report highlights the expansion of ChamelGang’s malware arsenal along with updates to the group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).

Technical details

Stairwell’s report focuses on ChamelDOH, an implant that facilitates command-and-control (C2) communication via DNS-over-HTTPS (DoH) tunneling – hiding its activity among network traffic and making identification and blocking of the implant’s communication extremely difficult (if not impossible, without visibility into HTTPS traffic).

• The implant is a large C++ binary that enables remote access to the system it’s running on.
• The implant uses a modified base64 schema to encode its communications as subdomains for an attacker-controlled nameserver. This allows it to gather system information, enumerate and profile an infected device, and execute basic remote access operations including file uploads, downloads, deletion, and execution.
• The implant leverages a range of system calls to generate a JSON object containing various pieces of data resulting from reconnaissance.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The attribution of the ChamelDoH implant to the China-linked ChamelGang is possible thanks to the Linux malware’s use of a domain previously associated with the threat actor, as well as a custom privilege escalation tool which was previously covered in the report from Positive Technologies referenced at the beginning of this summary.”

“According to Stairwell, this group has likely devoted significant resources into researching and developing a toolset for Linux intrusions that is as equally robust as the threat group’s Windows-focused arsenal.”

2. New Golang-based Skuld malware steals Discord and browser data from Windows PCs

Trellix recently detailed a new info-stealing malware strain known as Skuld which targets applications like Discord, web browsers, and folders. Skuld’s developer appears to have taken inspiration from various open-source projects and malware samples.

What to know about Skuld

Trellix notes that Skuld has compromised Windows systems across Europe, Southeast Asia, and the U.S. There is also overlap with various publicly available stealers including Creal Stealer, Luna Grabber, and BlackCap Grabber.

During their research, Trellix also spotted a Telegram group sporting the same alias as the one maintained by Skuld’s alleged developer. This could indicate the existence of future plans to promote the Skuld offering as a service to other cybercriminals.

Key takeaways about Skuld

• The Skuld samples are all written in Golang 1.20.3 and use a wide range of libraries to complete different supported tasks.
• When starting, the stealer loads some parameters, paths, and regular expressions in an internal string map structure that later supports different modules. After setting up an execution environment, the malware prompts the victim with a fake error message before executing various modules to steal information.
• Before it begins stealing information, Skuld checks to see if it is being analyzed by a security product or researcher by looking at various properties of the environment. If Skuld confirms it is being watched, it will terminate its execution.
• Skuld uses three different techniques to check if its target system is a virtual machine or not. The first technique checks to see if the screen resolution of the system is more than 200×200 pixels. If not, it assumes it is running in a virtual environment. The second technique checks if the total RAM is more than 2,000,000,000 bytes. And the third technique checks different registry keys associated with video and disk information on the system. If any of them contain information related to VMWare or Virtual Box, the application terminates.
• Skuld’s final checks involve obtaining the system’s running processes and comparing them to a predefined blocklist. If any process matches an item on the blocklist, the malware kills the process.
• After Skuld confirms that it is operating in a real environment and not a virtualized environment, it begins to steal information from the victim.
• Skuld has various methods for stealing information from Discord. It first attempts to inject JavaScript code into the discord_desktop_core module. To bypass Better Discord security features, the malware will corrupt the file “%APPDATA%\BetterDiscord\data\betterdiscord.asar,” replacing the string “api/webhooks” with the string “ByDeathined.” After injecting its code, Skuld tries to steal the Discord backup codes that are an alternative to MFA codes and take over the account.
• Skuld then targets information stored by Chromium and Gecko-based browsers. Stolen browser information includes local data, login data, cookies, history, downloads, and session tokens. Once the information is obtained, it is archived and compressed into a file, called “browsers.zip,” and exfiltrated.

Who is responsible for Skuld?

The developer behind Skuld goes by the alias ‘Deathined.’ Trellix first found the GitHub of a user with the same alias that had an avatar image URL identical to the icon_url in the Discord webhook footer of Skuld.

The Deathined GitHub account states that its owner knows how to program in Golang, which certainly matches the language of the Skuld malware. The GitHub account was also recently created, in April 2023 — just a few weeks before the investigation by Trellix took place.

Continuing its investigation into the suspected developer’s online persona, Trellix looked for other accounts with the same username and found a Reddit account also created in April. They also discovered a Tumblr account with the same nickname. Lastly, they found a Carrd account that includes a link to the known Twitter account, @deathined.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Skuld is yet another malware to hop on the Golang bandwagon. Trellix nicely sums up the growing concerns surrounding Golang-developed malware:

The rise of Golang malware presents a grave concern in the ever-changing cybersecurity landscape. As Golang gains popularity, cybercriminals have leveraged its strengths to develop new malware variants that pose a serious threat to users and companies.

3. Massive phishing campaign uses 6,000 sites to impersonate 100 brands

A new report issued by Bolster’s threat research team reveals the discovery of a widespread phishing campaign — reportedly underway since June 2022 — featuring the impersonation of over 100 popular apparel, footwear, and clothing brands in attacks designed to trick victims into entering account credentials and financial information on fraudulent websites.

Campaign details

• According to BleepingComputer, brands impersonated on the fake sites referenced above include Nike, Puma, Asics, Vans, Adidas, Columbia, and several others.
• The phishing campaign was discovered by Bolster’s threat research team, whose analysts report that the operation began sometime around June 2022, and exhibited peak phishing activity between November 2022 and February 2023.
• The campaign relies upon at least 3,000 unique domains and approximately 6,000 sites — including inactive ones.

Phishing infrastructure

Bolster’s report includes an overview of the campaign’s phishing attack infrastructure. The domains associated with this operation were traced by its discoverers back to the autonomous system number (ASN) AS48950.

From Bolster:

These domains’ IP addresses are hosted by two specific internet service providers, Packet Exchange Limited and Global Colocation Limited. It is worth noting that both providers have a negative reputation for fraud risk.

Bolster’s researchers also note that a significant majority of the domains involved (roughly 1,500) are registered with the ALIBABA.COM SINGAPORE E-COMMERCE PRIVATE LIMITED domain registrar. With regards to the length of these domains’ existence, their ages vary. Some are approximately two years old, while a significant portion have recently been registered within the last 90 days or so.

BleepingComputer had this to say regarding the ages of the suspicious domains:

Domain aging is a crucial factor in phishing operations, as the longer a domain stays alive but remains innocuous, the less likely it is to be flagged by security tools as suspicious. Letting a domain age for at least two years is something that Confiant reported last year, observing the tactic in a global malvertising campaign that has been using it successfully since 2018. In the campaign discovered by Bolster, many of the malicious domains survived so long without being reported that Google Search indexed them and are now likely to rank high for specific search terms.

This strategy is especially effective for cybercriminals intent on luring unsuspecting victims to visit phishing sites, with the underlying concept that the average user associates a high Google Search ranking with that domain’s authenticity and trustworthiness.

Of note, the scam’s domains follow a repetitive pattern with the name of the brand being impersonated is used in conjunction with the name of a city or country and followed by a generic top-level domain (TLD) such as .com.

According to Bolster’s researchers, the campaign maintained more than 10 fake websites designed to mimic those belonging to a range of popular brands. Each fraudulent domain was reportedly designed in a manner very similar to each company’s authentic website.

Recommended actions

Bolster offers some recommendations to help avoid phishing attacks and fake sites that mimic well-known brands.

From Bolster:

Ensure that you are on an official brand website by confirming the original brand’s domain. Keep an eye out for any signs of suspicious domain names. If you come across a deal or product price that seems too good to be true, you should take extra steps to verify the legitimacy of the domain. It’s also critical for business to protect their digital assets from brand impersonation attacks to prevent damaging their brand reputation. If customers (or employees, partners, and others in your network) fall victim to a scam pretending to be your organization, it can turn them off from purchasing from you in the future, as well as create bad reviews, bad press, and bad word of mouth.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign is a reminder about why it’s important to maintain a high degree of user awareness and caution — especially when engaging in online shopping and casually browsing eCommerce sites.”

“Phishing campaigns are becoming more and more convincing. This will get worse as cybercriminals gain easier access to artificial intelligence (AI) and machine learning models. It is becoming equally challenging to keep workers up to date with the latest email-borne threats, social engineering methods, and other evolving TTPs that cybercriminals are using.”

---

Do you have insight into these stories that you wish to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.