👂Listen up, new malware strain tries to steal sensitive information.

Jun 15 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s getting ready to binge #BlackMirror season 6 👀

Today’s hottest cyber security stories:

  • Golang-based Skuld malware targets Windows PCs in Europe, SE Asia, USA

  • Another day, another WooCommerce Stripe bug vulnerability 🙄

  • Pirated Windows 10 ISOs install malware via EFI partitions. KARMA!

Golang!

For those of you who, like us, have a special place in your hearts for good old fashioned Windows PCs, listen up.

If you’re in Europe, Southeast Asia, or the U.S. of A., then please be on the lookout for a nasty new strain of Golang-based malware named Skuld.

FYI, Golang is a programming language, not a country lol. Sounds like a cute little island off the coast of Fiji, huh? Golangians: a gentle island race, untainted by the complications of the modern world.

Skuld is not easily Deathined 😂

Anyway, Skuld, which shares some DNA with publicly available stealers like Creal Stealer, Luna Grabber, and BlackCap Grabber (you know, the classics), is the handiwork of a developer who goes by the online alias Deathined (edgy af) on various social media platforms like GitHub, Twitter, Reddit, and Tumblr.

But don’t just take our word for it. Here’s what the experts have to say…

"This new malware strain tries to steal sensitive information from its victims," Trellix researcher Ernesto Fernández Provecho said in a Tuesday analysis.

"To accomplish this task, it searches for data stored in applications such as Discord and web browsers; information from the system and files stored in the victim's folders."

And that’s not all. It’s been spotted by Trellix in a Telegram group named deathinews (don’t cut yourself on the edge!), suggesting that these online avenues could be used to promote the offering in the future as a dreaded MaaS. That’s Malware-as-a-Service for all you Gone Phishing noobies 😉

Finally (yep, this one really is a sonuvabitch!), some samples of Skuld also incorporate a clipper module.

For those who don’t know, clippers sit in the background and sneakily alter clipboard content and steal cryptocurrency assets by swapping the wallet addresses, which the cybersecurity company theorised is likely in development.

So, you copy one of your wallet addresses but the clipper secretly swaps it for a wallet owned by the scammers so when you paste, it’s a different address than you copied.

Wouldn’t you notice it’s not right? Maybe not when wallet addresses are ever-changing long strings of letters and numbers.

Our advice: always memorise the last, say, three digits of the addresses and check it matches when you paste or when sending to a new address we always send a small amount to test it arrives safe and sound.

Final warning

"Additionally, Golang's compiled nature lets malware authors produce binary executables that are more challenging to analyse and reverse engineer," Fernández Provecho noted.

"This makes it harder for security researchers and traditional anti-malware solutions to detect and mitigate these threats effectively."

Damn, son.

WooCommiserations are in order

Poor old WooCommerce and Stripe. They’ve had more patches than a patchwork quilt! Well, today’s another one.

This time, the WordPress plugin was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin. So, kind of a big deal.

Bit of background: WooCommerce Stripe Payment is a payment gateway for WordPress e-commerce sites, which currently has 900,000 active installations.

It allows websites to accept payment methods such as Visa, MasterCard, American Express, Apple Pay, and Google Pay through Stripe's payment processing API.

The good news is Patchstack discovered and reported CVE-2023-34000 to the plugin vendor on April 17, 2023, and a patch with version 7.4.1 was released on May 30, 2023.

Yay!

If you run a WP store with this be sure to update pronto…..

EFInghell!

Hard to feel quite so bad for the gipsies stealing Windows 10 via an illegal pirated ISO and then getting more than they bargained for via their EFI partitions.

But we still feel a bit bad. Nobody deserves to be the victim of cybercrime. No matter how cheap they are 😂

FYI, an ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-ray archived into a single file.

It’s like a snapshot but which actually contains, in this case, an entire operating system. Crazy, huh?

So, here’s the deets, peeps

Hackers are using torrents to distribute Windows 10, employing a technique that conceals cryptocurrency hijackers within the EFI (Extensible Firmware Interface) partition in order to avoid detection.

Boots on the ground!

The EFI partition serves as a small system partition that contains the bootloader and related files. It plays a crucial role in UEFI-powered systems, which have replaced the outdated BIOS.

Instances have been reported where attackers leverage modified EFI partitions to activate malware independently of the operating system and its defence tools, as seen in the case of BlackLotus. Sneaky!

However, the pirated Windows 10 ISOs discovered by researchers at Dr. Web simply utilises the EFI partition as a secure storage location for the clipper components.

Due to the limited scanning performed by standard antivirus tools on the EFI partition, the malware has the potential to evade detection by malware detection systems.

It’s a jungle out there, folks!

So long and thanks for reading all the phish!

Recent articles