YouTube videos promoting game cheats are being used to deliver a previously undocumented stealer malware called Arcane likely targeting Russian-speaking users.
“What’s intriguing about this malware is how much it collects,” Kaspersky said in an analysis. “It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla, and DynDNS.”
The attack chains involve sharing links to a password-protected archive on YouTube videos, which, when opened, unpacks a start.bat batch file that’s responsible for retrieving another archive file via PowerShell.
The batch file then utilizes PowerShell to launch two executables embedded within the newly downloaded archive, while also disabling Windows SmartScreen protections and every drive root folder to SmartScreen filter exceptions.
Of the two binaries, one is a cryptocurrency miner and the other is a stealer dubbed VGS that’s a variant of the Phemedrone Stealer malware. As of November 2024, the attacks have been found to replace VGS with Arcane.
“Although much of it was borrowed from other stealers, we could not attribute it to any of the known families,” the Russian cybersecurity company noted.
Besides stealing login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers, Arcane is equipped to harvest comprehensive system data as well as configuration files, settings, and account information from several apps such as follows –
- VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN
- Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, and DynDNS
- Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, and Viber
- Email clients: Microsoft Outlook
- Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, and various Minecraft clients
- Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, and Coinomi
Furthermore, Arcane is designed to take screenshots of the infected device, enumerate running processes, and list saved Wi-Fi networks and their passwords.
“Most browsers generate unique keys for encrypting sensitive data they store, such as logins, passwords, cookies, etc.,” Kaspersky said. “Arcane uses the Data Protection API (DPAPI) to obtain these keys, which is typical of stealers.”
“But Arcane also contains an executable file of the Xaitax utility, which it uses to crack browser keys. To do this, the utility is dropped to disk and launched covertly, and the stealer obtains all the keys it needs from its console output.”
Adding to its capabilities, the stealer malware implements a separate method for extracting cookies from Chromium-based browsers launching a copy of the browser through a debug port.
The unidentified threat actors behind the operation have since expanded their offerings to include a loader named ArcanaLoader that’s ostensibly meant to download game cheats, but delivers the stealer malware instead. Russia, Belarus, and Kazakhstan have emerged as the primary targets of the campaign.
“What’s interesting about this particular campaign is that it illustrates how flexible cybercriminals are, always updating their tools and the methods of distributing them,” Kasperksy said. “Besides, the Arcane stealer itself is fascinating because of all the different data it collects and the tricks it uses to extract the information the attackers want.”
