DarkCloud Stealer Uses Novel Infection Chain and ConfuserEx Obfuscation Techniques

DarkCloud Stealer Uses Novel Infection Chain and ConfuserEx Obfuscation Techniques

Unit 42 researchers have identified a significant evolution in the distribution tactics of DarkCloud Stealer, an infostealer malware first observed shifting its delivery mechanisms in early April 2025.

This update introduces a novel infection chain that incorporates advanced obfuscation via ConfuserEx, culminating in a Visual Basic 6 (VB6) payload designed to thwart static and dynamic analysis.

Obfuscation Strategies

Previously documented attacks relied on AutoIt scripting for evasion, but the latest variants employ multi-layered encryption and protection schemes across three distinct chains, each initiated by phishing emails containing TAR, RAR, or 7Z archives.

These archives deliver obfuscated JavaScript (JS) or Windows Script Files (WSF), which in turn fetch PowerShell (PS1) scripts from open directory servers.

Open directory server hosting PS1 files.

The PS1 scripts, encrypted with Base64 and AES, drop and execute ConfuserEx-protected executables, embedding the final DarkCloud payload.

This chain’s complexity, including javascript-obfuscator for JS files and custom AES decryption in PS1, underscores the threat actors’ focus on complicating reverse engineering while maintaining broad compatibility with Windows environments.

Technical Breakdown of ConfuserEx

Delving into the malware’s structure, the ConfuserEx-protected .NET executable features anti-tampering through runtime method body decryption in the module constructor, symbol renaming to non-ASCII identifiers, control flow obfuscation with opaque predicates, proxy call methods for hiding direct invocations, and constant encoding.

DarkCloud Stealer
Infection chain of recent DarkCloud attacks.

According to the report, Researchers defeated these using tools like AntiTamperKiller to remove invalid instructions, de4dot-cex for symbol restoration and control flow unflattening, and proxy call removers to simplify logic, revealing standard .NET methods such as Convert.FromBase64String.

The decrypted payload, stored in Triple DES (3DES) encrypted form within a Length-Value formatted byte array initialized via XOR and bitwise operations on a large unsigned integer array, is then injected via process hollowing into a suspended instance of the legitimate RegAsm.exe process.

This RunPE technique allows the VB6-based DarkCloud executable to execute stealthily, with embedded strings like “DARKCLOUD” confirming its identity.

Critical strings, including regular expressions, registry paths, file extensions, and Telegram API credentials for command-and-control (C2), are further encrypted using RC4 with unique keys per ciphertext, enhancing anti-analysis resilience.

The malware’s use of ActiveX objects for downloads and executions, combined with random file naming in temporary directories, facilitates persistence and data exfiltration to Telegram bots.

This adaptation in DarkCloud’s tactics highlights an ongoing arms race in cyber threats, where obfuscation layers like ConfuserEx and VB6 integration aim to bypass traditional signature-based detections, emphasizing the need for behavior-based analytics.

Security teams should prioritize monitoring for anomalous process injections, encrypted script executions, and connections to known malicious IPs.

Palo Alto Networks products, including Advanced WildFire for machine-learning-driven analysis, Advanced URL Filtering and DNS Security for blocking associated domains, and Cortex XDR/XSIAM for preventing unknown malware via behavioral threat protection, offer robust defenses.

In cases of suspected compromise, immediate engagement with incident response teams is advised to mitigate risks from this evolving infostealer.

Indicators of Compromise

File Type SHA256 Hash
RAR archive bd8c0b0503741c17d75ce560a10eeeaa0cdd21dff323d9f1644c62b7b8eb43d9
TAR archive 9588c9a754574246d179c9fb05fea9dc5762c855a3a2a4823b402217f82a71c1
JS file 6b8a4c3d4a4a0a3aea50037744c5fec26a38d3fb6a596d006457f1c51bbc75c7
PS1 file f6d9198bd707c49454b83687af926ccb8d13c7e43514f59eac1507467e8fb140
WSF file 72d3de12a0aa8ce87a64a70807f0769c332816f27dcf8286b91e6819e2197aa8
7Z archive fa598e761201582d41a73d174eb5edad10f709238d99e0bf698da1601c71d1ca
7Z archive 2bd43f839d5f77f22f619395461c1eeaee9234009b475231212b88bd510d00b7
Initial ConfuserEx .NET EXE file 24552408d849799b2cac983d499b1f32c88c10f88319339d0eec00fb01bb19b4
Final DarkCloud VB6 EXE file ce3a3e46ca65d779d687c7e58fb4a2eb784e5b1b4cebe33dbb2bf37cccb6f194
Malware distribution URL hxxp://176.65.142.190
C2 URL hxxps://api.telegram.org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link