Beware! Golang-Based Skuld Malware Stealing Discord and Browser Data from Windows PCs

A newly discovered information stealer, Skuld, built using the Golang programming language, has successfully compromised Windows systems in Europe, Southeast Asia, and the United States.

Golang malware is not any more the "new thing", it is already a threat. In my latest @Trellix blog I analyze the Golang infostealer dubbed Skuld, including an analysis of the development skills of the actor behind it.https://t.co/xwn2cO1Cfj

— Ernesto Fernández (@l3cr0f) June 13, 2023

According to Ernesto Fernández Provecho, a researcher at Trellix, “this malware strain aims to steal sensitive data from its victims by searching through applications like Discord and web browsers and collecting system information and files stored in the victim’s folders.”

Let’s know more

Skuld, created by a developer known as Deathined on social media platforms such as GitHub, Twitter, Reddit, and Tumblr, shares similarities with other publicly available stealers like Creal Stealer, Luna Grabber, and BlackCap Grabber.

Source: Trellix

Trellix researchers also discovered a Telegram group called Deathinews, indicating that the developer may use these online platforms to promote the malware as a service for other threat actors.

Source: Trellix

What does it do?

• The malware first checks if it is running in a virtual environment to avoid detection and analysis. 
• It then compiles a running process list and compares them against a predefined blocklist. 
• If any process matches the blocklist, Skuld terminates that process instead of removing itself.

In addition to gathering system metadata, 

• Skuld can extract cookies and credentials stored in web browsers and files in Windows user profile folders, such as Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive.

Trellix’s analysis revealed that Skuld is designed to 

• tamper with legitimate files associated with Better Discord and Discord Token Protector.
• It injects JavaScript code into the Discord app to steal backup codes, using a technique similar to another info stealer written in Rust, recently documented by Trend Micro.

Specific samples of Skuld include a clipper module, which alters the clipboard’s content and attempts to steal cryptocurrency assets by replacing wallet addresses. This feature is believed to be under development.

What’s the process?

The stolen data is exfiltrated using a Discord webhook controlled by the threat actor or through the Gofile upload service. In the latter case, a reference URL to the uploaded ZIP file containing the stolen data is sent to the attacker via the same Discord webhook functionality.

Source: JSDeliver

Skuld is built using the Go programming language, which indicates a growing trend among threat actors who appreciate its simplicity, efficiency, and compatibility with multiple operating systems. This makes Go appealing for targeting various platforms and expanding the pool of potential victims.

Moreover, the compiled nature of Go allows malware authors to create binary executables that are more difficult to analyze and reverse engineer. As a result, security researchers and traditional anti-malware solutions face more significant challenges in effectively detecting and mitigating these types of threats.

Conclusive remarks

The prevalence of Golang malware raises concern as it is used to create more severe risks by creating more malware variants.  Skuld is a prime example of that. We still do not know how stealthy it could be as more features are yet to be discovered. 

The next threat is that the author might sell the malware through communication channels that are difficult to control. Be wary and safe!