The DarkCloud infostealer is being spread via a new attack chain leveraging ConfuserEx-based obfuscation, Palo Alto Networks Unit 42 reported Thursday.The open-source ConfuserEx obfuscation method for .NET applications uses a combination of several techniques to obscure the code and protect it from detection, modification and analysis.The attacks originate from phishing emails with TAR, RAR or 7-Zip (7Z) attachments, which contain either JavaScript (JS) or Windows Script File (WSF) scripts. The JS scripts are obfuscated using the open-source tool javascript-obfuscator. These scripts download and run additional PowerShell from a remote, open-directory server, which then drops the ConfuseEX-obfuscated DarkCloud payload, written in Visual Basic 6 (VB6).ConfuserEx changes class, method and variable names to random non-ASCII symbols, encodes constants and employs control flow flattening through the use of opaque predicates, making it difficult to understand the code’s behavior.Proxy call method obfuscation is also used — this technique disguises method calls by first calling intermediate methods that then forward the calls to the intended methods. Additionally, ConfuserEx leverages anti-tampering via method encryption, where encrypted method bodies are only decrypted at runtime.The ConfuserEx obfuscation can be defeated through a multi-step workflow, as described by Palo Alto Networks Unit 42, starting with the use of a tool called AntiTamperKiller.Once the anti-tampering protection is removed, the open-source ConfuserEx decoder tool de4dot-cex further cleans up the code, deobfuscating the random symbols and unmasking the control flow.Lastly, another open-source tool called ProxyCall-Remover reveals the code’s method calls, and the DarkCloud VB6 payload, which is 3DES encrypted, can be analyzed after decryption.Strings within the payload, including registry paths, credit card names and Telegram API credentials for command-and-contol (C2) communications, were also noted to be encrypted using the RC4 algorithm.The DarkCloud sample analyzed by Unit 42 utilizes process hollowing to hide its execution within the legitimate RegAsm.exe utility process. Similar process hollowing, using MSBuild.exe, was described in another recent analysis by Fortinet’s FortiGuard Labs, which was also published Thursday.The sample analyzed by FortiGuard Labs followed a somewhat different attack chain that retrieved a JPEG image from the Internet Archive, which hid the final encrypted payload using steganography.DarkCloud acts as an infostealer targeting various information including basic system information, credentials and payment information from web browsers, and email contacts, and exfiltrates the data using either file transfer protocol (FTP) or simple mail transfer protocol (SMTP) methods.The evolving evasion techniques of the DarkCloud malware family demonstrate the limitations of static analysis methods, with Unit 42 recommending the use of proactive, behavior-based detection methods to combat the threat.
Malware, Threat Intelligence, Encryption
New DarkCloud infostealer campaign leverages ConfuserEx obfuscation
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds