YouTube videos promoting game cheating are being used to give unloaded steeler malware in advance Distinct Russian speaking users are likely to target.
“What is complicated about this malware, how much it collects,” Kasperki said in an analysis. “It catches account information from VPN and Gaming Clients, and all types of network utilities such as NGROK, Playite, Cyberdak, FileJilla and Dinades.”
The attack chain involves sharing links to a password-protected collection on YouTube videos, which when opens, unpacks a start.bat batch file that is responsible for recovering another collection file through Powershell.
The batch file then uses Power Steel to launch two executables embedded within the newly downloaded collection, while Windows Smartscreen safety and smartscreen also disable every drive route folder for filter exceptions.
Among the two binergies, one is a cryptocurrency Khan and the other one is a stolen dubbed VGS, a type of Femedron Staler Malware. By November 2024, attacks have been found to replace the VG with Archan.
The Russian cyberspace company said, “Although most of it was borrowed from other stealers, we could not do it for any known family.”
In addition to stealing login credentials, passwords, credit card data and cookies from various chromium- and Gaco-based browsers, Archan is equipped for comprehensive system data as well as account information from configuration files, settings and many apps such as account information such as as follows-
- VPN Client: Openvpn, Mulvad, NordVPN, Epuvanish, Surfshark, Proton, Hidemi. NAM, PIA, Cyberhost, and ExpressVN
- Network clients and utilities: NGROK, Playit, Cyberduck, Filezilla and Dyndns
- Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber and Viber
- Email Customer: Microsoft Outlook
- Gaming clients and services: riot clients, epic, steam, ubisoft connect (ex-application), roblox, battle.net, and various Minecraft clients
- Crypto Wallets: Zcash, Armary, Bytecoin, Jaxx, Exodus, Etreum, Electrum, Atomic, Garada, and Coinomi
In addition, Archan is designed to take screenshots of infected device, calculating running processes, and the Wi-Fi network and their password saved list is listed.
“Most browser generates unique key to encrypse sensitive data, such as logins, passwords, cookies, etc.,” said Kasperki. “Archen uses data protection API (DPAPI) to achieve these keys, which are specific of thefts.”
“But Arcane also has an executable file of Xaitax utility, which he uses to crack the browser keys. To do this, the utility is dropped on the disc and launched secretly, and the steeler receives all the key required from his console output.”
Connecting its abilities, the stolen malware applies a separate method to extract cookies from chromium-based browsers that launch a copy of the browser through a dibg port.
Actors with unknown danger behind the operation have since expanded their offerings, including a loader, named Arcanaloader, who is to download the game cheating, but distributes the stolen malware instead. Russia, Belarus and Kazakhstan have emerged as the primary targets of the campaign.
“The interesting thing about this special campaign is that it shows how flexible cyber criminals are, always update their equipment and ways to distribute them,” Kaspasi said. “In addition, Arche Steler is attractive due to all the different data collected in itself and uses tricks to remove the information you want to the attackers.”
