New Skuld Malware Targets Windows To Steal Data

Researchers have found a new malware in the wild actively targeting Windows devices. Identified as “Skuld,” the Go-based malware aims to steal stored data from apps, web browsers, and other stored files from Windows systems.

Skuld Malware Appears As A New Threat For Windows Users

According to a recent report from Trellix, numerous security researchers caught the newly identified “Skuld” malware actively compromising Windows systems.

Written in Golang programming language, Skuld typically functions as a data stealer. Upon reaching a target device, it pilfers stored files from the system and scans web browsers and other installed apps (like Discord) for stored information. Also, some malware samples exhibited crypto-stealing functionalities.

This extensive information-stealing capability owes to the Golang, which empowers the malware creators to design malware executables targeting various operating systems. Also, Go-based malware are relatively difficult to analyze and reverse engineer. Hence, neutralizing Go-malware infections potentially requires more time for the security community.

Before executing its info-stealing functionalities, the malware first checks the system for security measures to escape detection. That includes VM check – to halt execution if caught, and processes scan – to terminate the processes listed in its blocklist.

After that, it exfiltrates data from Discord, web browsers, and system information (including hardware details). It then transmits everything to the attacker via Discord webhook and the Gofile upload service.

Besides data stealing, the malware exhibits clipper functionalities, which assist Skuld in stealing cryptocurrency wallet addresses from the clipboard. Once stolen, the malware facilitates the attacker in stealing money by swapping the wallet address with the attacker’s one.

For now, the exact identity of the threat actor behind Skuld remains unclear. Nonetheless, the researchers have traced the malware to a (presumably) developer with the alias “Deathined,” which keeps appearing briefly on various social media platforms.

Currently, the malware seems under active development, lacking numerous functionalities. But it will likely expand its operations after improvements, possibly emerging as a new for-sale threat on the dark web.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients