New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Palo Alto Networks’ Unit 42 recently identified an attack chain delivering the DarkCloud Stealer, which leveraged obfuscation by ConfuserEx and a final payload written in Visual Basic 6 (VB6).
The initial payload, ConfuserEx, launches the official .Net RegAsm tool and results in an injected executable known as the final payload, VB6.
In the attack chain, a phishing email contains either a tarball (TAR), Roshal (RAR) or 7-Zip (7Z) archive.
On opening the RAR or 7Z archives, a file is extracted and can execute a script to download and run a PowerShell (PS1) file that drops and runs the ConfuserEx-protected final DarkCloud payload.
In the case of the TAR archive, a script inside the archive, once run, downloads and runs a PS1 file that drops and runs the ConfuserEx-protected VB6 payload.
The VB6 payload is injected into a new native Portable Executable (PE) process spawned by the initial ConfuserEx process.

Fast Feed