YouTube videos promoting game cheats are used to provide previously undocumented steeler malware called Arcane, which may target Russian-speaking users.
“What intrigus me about this malware is how much it collects,” Kaspersky said in his analysis. “Get account information from VPN and gaming clients, as well as all kinds of network utilities like Ngrok, Playit, Cyberduck, Filezilla, Dyndns, and more.”
The attack chain involves sharing a link to a password-protected archive of YouTube videos. This will open up and unpack the start.bat batch file, which is responsible for retrieving another archive file via PowerShell.
The batch file uses PowerShell to launch two executables embedded within the newly downloaded archive, while Windows SmartScreen protection and all Drive Rout Folders disable SmartScreen filter exceptions.
Of the two binaries, one is a miner of cryptocurrency, and the other is a steeler called VGS, a variant of the femedron steeler malware. As of November 2024, it is known that the attack will replace VGS with Arcane.
“Many of them were borrowed from other stolen items, but they could not be attributed to any of the known families,” the Russian cybersecurity company said.
In addition to stealing login qualifications, passwords, credit card data and cookies from various Chromium and Gecko-based browsers, Arcane is equipped with comprehensive system data and to harvest configuration files, settings, and account information from several apps such as:
VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, and DynDNS Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, and Viber Email Client: Microsoft Outlook Gaming Clients and Services: Riot Client, Epic, Steam, Ubisoft Cryptographic wallets for Connect (Ex-Uplay), Roblox, Battle.Net, and various Minecraft clients: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Gorda, and Coinomi
Additionally, Arcane is designed to take screenshots of infected devices, enumerate the running processes, and list saved Wi-Fi networks and their passwords.
“Most browsers generate unique keys to encrypt sensitive data you store, such as logins, passwords, cookies and more,” says Kaspersky. “Arcane uses the Data Protection API (DPAPI) to get these keys, which is typical of steelers.”
“However, Arcane also includes an executable for the Xaitax utility, which we use to crack browser keys. To do this, the utility is dropped to disk, secretly launched, and the steeler gets all the keys it needs from the console output.”
In addition to that functionality, Stealer Malware implements a separate method for extracting cookies from Chromium-based browsers, launching a copy of the browser via the debug port.
The unidentified threat actors behind the operation have since expanded what they offer to include a loader named Arcanaloader, which is intended to download cheats for the game, but which is intended to deliver steeler malware instead. Russia, Belarus and Kazakhstan have emerged as major targets in the campaign.
“What’s interesting about this particular campaign is that it shows how flexible cybercriminals are and constantly updates the tools and how they are distributed,” says Kasperksy. “And the arcane steeler itself is appealing because of all the different data it collects and the tricks it uses to extract the information the attacker wants.”
Source link
