Skuld Infostealer Malware Used Against Targets Across the World

Skuld, a newly discovered information stealer written in Golang, has successfully compromised Windows systems in Europe, Southeast Asia, and the United States.

According to an analysis by Trellix researcher Ernesto Fernández Provecho, this fresh strain of malware has a primary objective of pilfering sensitive data from its victims. It achieves this by searching for valuable information stored in applications like Discord and web browsers, as well as system data and files within the victim's folders.

Skuld bears similarities to other known stealers such as Creal Stealer, Luna Grabber, and BlackCap Grabber. Its creator, who is known online as Deathined on platforms like GitHub, Twitter, Reddit, and Tumblr, appears to be actively promoting this malware through a Telegram group named deathinews.

To impede analysis efforts, Skuld checks if it's operating within a virtual environment upon execution. It then compiles a list of running processes and compares it to a predefined blocklist. If any process matches those on the blocklist, Skuld terminates the matched process instead of self-terminating.

Skuld's Full List of Capabilities

In addition to gathering system metadata, Skuld is capable of harvesting cookies, credentials, and files from various Windows user profile folders, including Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive.

Trellix's investigation into the malware revealed that Skuld is designed to tamper with legitimate files associated with Better Discord and Discord Token Protector. By injecting JavaScript code into the Discord app, it can extract backup codes, employing a technique reminiscent of a recently documented Rust-based infostealer analyzed by Trend Micro.

Certain samples of Skuld also include a clipper module, which modifies clipboard content and facilitates the theft of cryptocurrency assets by replacing wallet addresses. Trellix speculates that this module is still under development.

Data stolen by Skuld is exfiltrated using an actor-controlled Discord webhook or the Gofile upload service. In the case of the latter, the attacker receives a reference URL containing the stolen data in a ZIP file, which is sent through the same Discord webhook functionality.

This development showcases the growing popularity of the Go programming language among threat actors. Its simplicity, efficiency, and cross-platform compatibility make it an appealing choice for targeting multiple operating systems and expanding the pool of potential victims.

Fernández Provecho further emphasized that Golang's compiled nature makes it challenging for security researchers and traditional anti-malware solutions to detect and mitigate these threats effectively, as malware authors can produce binary executables that are difficult to analyze and reverse engineer.