Skuld Malware

A new information-collecting malware called Skuld, written in the Go programming language, has successfully compromised Windows systems in Europe, Southeast Asia and the U.S.

Skuld is specifically designed to pilfer sensitive information from its victims. To accomplish this, it employs various techniques, including searching for data within applications like Discord and Web browsers, as well as extracting information from the system itself and files stored in the victim's folders.

Interestingly, Skuld exhibits similarities to other publicly available information collectors, such as the Creal Stealer, the Luna Grabber and the BlackCap Grabber. These overlapping characteristics suggest potential connections or shared code among these malware strains. Skuld is believed to be the creation of a developer who operates under the online pseudonym Deathined.

The Skuld Malware Can Terminate Predetermined Processes on the Breached System

Upon execution, the Skuld malware employs several evasion techniques to impede analysis, including checking if it is running within a virtual environment. This is done to hinder researchers' efforts to understand its behavior and functionality. Additionally, Skuld extracts a list of currently running processes on the infected system and compares it against a predefined blocklist. If any process matches those present in the blocklist, instead of terminating itself, Skuld proceeds to terminate the matched process, potentially aiming to neutralize security measures or hinder detection.

In addition to gathering system metadata, Skuld possesses the capability to harvest valuable information, such as cookies and credentials stored in Web browsers. It also targets specific files located in the Windows user profile folders, including Desktop, Documents, Downloads, Pictures, Music, Videos and OneDrive. By targeting these folders, Skuld aims to access and potentially exfiltrate sensitive user data, including personal files and fundamental documents.

Analysis of the malware's artifacts has revealed its deliberate intention to corrupt legitimate files associated with Better Discord and Discord Token Protector. This threatening activity suggests an attempt to disrupt the functioning of legitimate software used by Discord users. Furthermore, Skuld employs a technique similar to another infostealer based on the Rust programming language, where it injects JavaScript code into the Discord application to extract backup codes. This technique underscores the sophisticated nature of Skuld's information-gathering capabilities and its intention to compromise user accounts and access additional confidential information.

The Skuld Malware may Execute Additional Threatening Activities

Certain samples of the Skuld malware have demonstrated the inclusion of a clipper module, which is designed to manipulate the contents of the clipboard. This module allows Skuld to engage in cryptocurrency theft by replacing cryptocurrency wallet addresses with those controlled by the attackers. It is possible that the clipper module is likely still under development, indicating potential future enhancements to Skuld's capabilities in stealing cryptocurrency assets.

The exfiltration of the collected data is achieved through two primary methods. Firstly, the malware leverages an actor-controlled Discord webhook, enabling the attackers to transmit the pilfered information to their infrastructure. Alternatively, Skuld utilizes the Gofile upload service, uploading the collected data as a ZIP file. In this case, a reference URL to access the uploaded ZIP file containing the exfiltrated data is sent to the attacker using the same Discord webhook functionality.

The presence of Skuld and its evolving features showcases a growing trend among threat actors to utilize the Go programming language. Go's simplicity, efficiency, and cross-platform compatibility have made it an attractive choice for attackers. By leveraging Go, threat actors can target multiple operating systems and expand their potential victim pool, highlighting the need for robust security measures across various platforms.