Arcane Stealer Malware

Cybercriminals are leveraging YouTube videos that promote game cheats to distribute a newly identified malware called Arcane. This stealer malware primarily targets Russian-speaking users and is capable of gathering an extensive range of sensitive data from compromised systems.

How Arcane Spreads

The attack begins with links embedded in YouTube videos that lead unsuspecting users to password-protected archives. Once extracted, these archives contain a start.bat batch file, which uses PowerShell to download and execute additional files. During this process, Windows SmartScreen protection is disabled to evade security measures.

The malware executes two key components: a cryptocurrency miner and a stealer malware. Initially, the stealer was identified as VGS, a variant of the Phemedrone Stealer, but by November 2024, attackers had switched to using Arcane. While Arcane borrows elements from other stealers, researchers have not linked it to any specific malware family.

The Data Arcane Steals

Arcane is designed to extract a wide variety of sensitive information, including login credentials, passwords, credit card details and cookies stored in both Chromium- and Gecko-based browsers. It also gathers system data. The malware extracts configuration files, settings, and account details from a wide range of applications, including:

• VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
• Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, DynDNS
• Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
• Email clients: Microsoft Outlook
• Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (formerly Uplay), Roblox, Battle.net, various Minecraft clients
• Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi

Beyond standard credential theft, Arcane employs sophisticated techniques to enhance data collection. It utilizes the Data Protection API (DPAPI) to extract encryption keys used by browsers to secure stored passwords and cookies. Additionally, it executes a hidden instance of the Xaitax utility to crack these encryption keys, ensuring full access to stored credentials. To extract authentication cookies from Chromium-based browsers, it launches a copy of the browser through a debug port, bypassing traditional security barriers.

The Emergence of ArcanaLoader

In a further evolution of their tactics, the attackers have introduced ArcanaLoader, a threatening tool disguised as software for downloading game cheats. Instead of cheats, the tool deploys Arcane, further expanding the malware’s reach. The campaign primarily targets users in Russia, Belarus and Kazakhstan.

A Rapidly Adapting Cyber Threat

The Arcane malware campaign highlights the adaptability of cybercriminals who continuously refine their attack methods. Arcane stands out due to its extensive data collection capabilities and advanced techniques for extracting encrypted information. This operation serves as a reminder that even seemingly harmless game cheat downloads can be a gateway to severe security threats.