Skuld Stealer is a type of malware that is designed to steal sensitive information from infected systems. It is written in the Go programming language and is known for its data exfiltration capabilities. Skuld Stealer can extract various types of data, including device information, browsing activity, credentials, personally identifiable information, and cryptocurrency wallet addresses.
Skuld specifically targets browsers based on Chromium and Gecko, as well as the Discord messaging platform. Skuld Stealer may also have additional functionalities such as terminating security processes and downloading files from specific folders. Its presence on a device can lead to severe privacy issues, financial losses, and identity theft. It is important to take preventive measures to avoid the installation of such malware and to promptly eliminate any detected threats.
Overview of Skuld Stealer
| Name | Skuld |
| Detection | Trojan:Win32/Wacatac.B!ml |
| Similar behavior | Powerdrop, Stealth Soldier, GreetingGhoul |
| Damage | When Skuld malware infiltrates a system, it can result in dire consequences, including the theft of passwords and banking information, identity theft, and the victim’s computer being added to a botnet. |
Once launched on a system, Skuld may display a fake error message to divert attention. This malware stealer employs anti-analysis techniques, detecting if it runs on a virtual machine or in a sandbox environment. Skuld can also terminate unwanted processes, including security tools.
The stealer initiates its operations by gathering relevant device data such as the device name, CPU, GPU, RAM, operating system (OS) version, username, IP address (geolocation), MAC address, Windows license key, and more.
Skuld can extract browsing activity-related data, downloads, session tokens (for Chromium-based browsers), internet cookies, usernames/passwords, personally identifiable details, and other data from browsers based on Chromium and Gecko (see full list). Skuld Stealer also targets data associated with the Discord messaging platform to steal victims’ accounts.
Some versions of Skuld can download files from various folders, including desktop, documents, pictures, music, videos, downloads, and OneDrive. Several variants also possess clipper-type functionalities. They detect when a cryptocurrency wallet address is copied into the clipboard and replace it with one belonging to the cyber criminals.
However, the clipper module appears to still be in development in the researched Skuld versions. Only the Bitcoin (BTC) cryptocurrency targeting clipper ability has been fully implemented. Other targeted digital currencies include Cardano (ADA), Chia (XCH), Coinchase (CCH), Dash (DASH), Ethereum (ETH), Litecoin (LTC), Monero (XMR), and Popchain (PCH).
It’s worth mentioning that stealer developers frequently enhance their software, so future iterations of Skuld could have additional or different functionalities.
In summary, the presence of software like the Skuld stealer on devices can lead to severe privacy issues, financial losses, and identity theft.
Examples of stealer-type malware
We have analyzed numerous malware samples, including GreetingGhoul, PirateStealer, Bandit, and Warp, among others, which fall into the stealer category. Data-stealing software can target specific details or a wide range of information.
How did Skuld infiltrate my computer?
There is evidence suggesting that Skuld might be offered for sale in the future, and its distribution will depend on the cyber criminals using it at that time.
Malware and Stealers is typically spread through phishing and social engineering techniques. It often disguises itself as or bundles with ordinary programs or media.
Infectious files can be in various formats, such as archives (ZIP, RAR, etc.), executables (.exe, .run, etc.), documents (Microsoft Office, Microsoft OneNote, PDF, etc.), JavaScript, and more. Opening a malicious file triggers the infection chain.
The most commonly used methods to distribute malware include drive-by (stealthy/deceptive) downloads, online scams, malicious attachments/links in spam mail (e.g., emails, PMs/DMs, SMSes, etc.), suspicious download channels (e.g., freeware and free file-host
ing websites, P2P sharing networks, etc.), illegal software activation (“cracking”) tools, and fake updates.
Furthermore, some malicious programs can self-propagate through local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.).
How to avoid malware stealers installation?
We highly recommend downloading only from official and verified sources. Additionally, activate and update all programs using functions/tools provided by legitimate developers, as illegal activation tools (“cracks”) and fake updates can contain malware.
Another recommendation is to exercise caution while browsing since fake and malicious online content often appears ordinary and harmless. Stay vigilant when it comes to incoming emails and messages. We advise against opening attachments or clicking links in suspicious or irrelevant mail, as they can be malicious.
List of browsers targeted by Skuld stealer:
Chromium-based
Google Chrome, 7Star, Amigo, Brave, Catalina, CentBrowser, Chedot, Chrome (x86), Chrome SxS, CocCoc, Coowon, DCBrowser, Dragon, Edge, Elements, Epic Privacy Browser, Fenrir, Iridium, K-Melon, Kometa, Liebao, Maple, Maxthon, Opera, OperaGX, Orbitum, QIP Surf, Sputnik, Torch, Uran, Vivaldi, Yandex
Gecko-based
Mozilla Firefox, BlackHaw, Cyberfox, IceDragon, K-Meleon, Pale Moon, SeaMonkey, Thunderbird, Waterfox
Leave a Comment