Arcane Stealer Emerges

In a blog post published by Kaspersky Labs, security researchers revealed the discovery of a new information-stealing malware called Arcane Stealer by the cybersecurity firm. The malware is distributed fairly novel, in that it is distributed via YouTube and videos that provide users with computer game cheats.

Researchers noted that the malware distribution campaign was active before deploying the new stealer malware. The videos were frequently accompanied by a link to an archive and a password to unlock it. Upon unpacking the archive, the user would invariably discover a start batch file, named simply start.bat, in the root folder and the UnRAR.exe utility in one of the subfolders.

Threat actors obfuscated the contents of the batch file, which only served to serve another password-protected archive via PowerShell and unpack that with UnRAR.exe, with the password embedded in the BATCH file as an argument.

The archive downloaded via PowerShell would first set the EnableWebContentEvaluation and SmartScreenEnabled registry keys via the system console utility reg.exe to disable SmartScreen altogether to prevent detection, then download and install a cryptocurrency miner and an info stealer.

The initial stealer was Phemedrone Stealer, a malware written in C# designed to steal cookies, passwords, autofill data, and credit card details from web browsers. It can also grab sessions from popular platforms like Telegram, Steam, and Discord and steal files from infected systems.

By the end of 2024, threat actors behind the attack campaign had switched to using Arcane Stealer as the primary malware payload. Researchers noted that the Arcane Stealer discovered in this instance has very little to do with "Arcane Stealer V," another malware offered on the dark web since 2019.

The recently discovered Arcane Stealer shares features with other popular information, but other similarities in terms of code could not be found to other variants.

Deeper Dive into Arcane

Researchers noted that Arcane gets regular updates, so its code and capabilities change from version to version. We will describe the standard functionality present in various modifications and builds. In addition to logins, passwords, credit card data, tokens, and other credentials from various Chromium and Gecko-based browsers.

Further, the malware is also capable of stealing configuration files, settings, and account information from the following applications:

• VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
• Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, DynDNS
• Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
• Email clients: Outlook
• Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, various Minecraft clients
• Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi

As with other popular info stealers, Arcane also steals a treasure trove of system information, such as the OS version and installation date, digital key for system activation and license verification, username and computer name, location, information about the CPU, memory, graphics card, drives, network and USB devices, installed anti-malware applications, and installed browsers.

Arcane can also take screenshots of the infected device, obtain lists of running processes and Wi-Fi networks saved in the OS, and retrieve the passwords for those networks.

Security researchers noted that Arcane's method of stealing data from browsers deserved special mention.

Researchers stated,

Most browsers generate unique keys for encrypting sensitive data they store, such as logins, passwords, cookies, etc. Arcane uses the Data Protection API (DPAPI) to obtain these keys, which is typical of stealers. But Arcane also contains an executable file of the Xaitax utility, which it uses to crack browser keys. To do this, the utility is dropped to disk and launched covertly, and the stealer obtains all the keys it needs from its console output.

The malware takes a few extra steps to steal cookies. These include extracting cookies from Chromium-based browsers through a debug port. To do this, the malware secretly launches a copy of the browser with the "remote-debugging-port" argument, then connects to the debug port, issues commands to visit several sites, and requests their cookies.

Since Arcane Stealer's discovery, threat actors have modified the distribution pattern from promoting computer game cheats to advertising ArcanaLoader on their YouTube channels. ArcanaLoader is advertised as a loader with a graphical user interface for downloading and running the most popular cracks, cheats, and similar software.

Links in the video include the supposed ArcanaLoader but only include the files the threat actor needs to download and install Arcane Stealer. Currently, the attack campaign appears to only target Russian speakers, as the Discord set up to promote the loader is all in Russian. Kaspersky telemetry confirms that most victims were in Russia, Belarus, and Kazakhstan.

Researchers concluded,

Attackers have been using cheats and cracks as a popular trick to spread all sorts of malware for years, and they’ll probably keep doing so. What’s interesting about this particular campaign is that it illustrates how flexible cybercriminals are, always updating their tools and the methods of distributing them. Besides, the Arcane stealer itself is fascinating because of all the different data it collects and the tricks it uses to extract the information the attackers want. To stay safe from these threats, we suggest being wary of ads for shady software like cheats and cracks, avoiding links from unfamiliar bloggers, and using strong security software to detect and disarm rapidly evolving malware.