Info stealer malware Skuld is targeting Windows PCs in the US

Threat actors and hackers are always developing new methods to infiltrate systems and gain unauthorized access. Now, according to a report from Trellix Advanced Research Center, hackers have developed a new Golang-based malware called Skuld, which is targeting and stealing information from Windows systems across Europe, Southeast Asia, and the United States.

While threat actors generally do not utilize Golang for developing malware, Skuld takes advantage of its simplicity and cross-platform compatibility to target a wide range of systems and extracts information using Discord’s webhooks, thus posing a significant threat to victims.

Similar to other info stealer malware

According to the researchers, Skuld, developed by a programmer named “Deathined,” is similar to other publicly available information stealers such as Creal Stealer, Luna Grabber, and BlackCap Grabber. But, since the malware is Golang-based, detecting it and implementing effective countermeasures is much more difficult.

Moreover, the fact that anyone can find Deathined on popular social media platforms like GitHub, Twitter, Reddit, and Tumblr raises serious concerns, as other malicious actors could also exploit the malware to compromise systems.

How does the malware work?

Once installed, Skuld first checks whether it is running within a virtual environment or not. It then extracts a list of running processes and terminates the ones that match its blocklist, thereby ensuring its survival. After completing this process, the malware presents victims with a fake error message, such as “Error code: Windows_0x988958 – Something has gone wrong.”

Now, if an unsuspecting user clicks on the “Ok” message, it triggers the execution of different modules within the malware, which collect and exfiltrate sensitive information from the victim’s system, including files found in a Windows user’s profile folder, such as Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive. Finally, the malware utilizes Discord webhooks and the Gofile upload service to send the stolen information back to the threat actor.

This incident once again highlights the increasing efforts of threat actors to infiltrate our systems. As a result, individuals and organizations must prioritize robust security practices, including regularly updating software and operating systems, using a trustworthy antivirus, refraining from downloading files from unknown sources, implementing strong passwords, and enabling two-factor authentication (2FA).