Threat Intelligence

Arcane Stealer V and its Maker

In July 2019, Fidelis Threat Research Team (TRT) acquired and began analyzing a sample of Arcane Stealer V. Arcane Stealer V is a .net information stealing malware that is inexpensive and easily acquirable and does not discriminate or restrict operations and infection based on geography or location, as other malware strains are known to do. Data that is collected and extracted upon successful infection includes operating system, browser information, cryptocurrency wallets, and instant messaging sessions. In early August, during the analysis of Arcane Stealer V, TRT identified multiple instant messenger and social media accounts associated with a Russian-language actor that may possibly be involved with the build and distribution of Arcane Stealer V.

Based on preliminary observation and analysis, Arcane Stealer V will likely remain a popular tool among lower-skilled adversaries but may not be as popular with more complicated actors like advanced persistent threats (APTs). Cracked versions are available for download on multiple community discussion and file-sharing platforms, like gaming forums and MegaNZ.

The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia. The actor’s information stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.

Key Judgements:

  • Arcane Stealer V is a relatively inexpensive and easily accessible malware
  • Due to the low-cost of the malware, it is possible that it will increase in popularity, increasing it’s threat
  • We assess with moderate confidence that the actor attributed is a low-level threat

The Malware
The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars. There is also support available on Telegram along with other “helpful” bots.


Figure 1: Bot Support

The actor has provided dashboards and statistics to showcase the amount sales potential geographic locations of purchasers.


Figure 2: Sales of Arcane Stealer

When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.


Figure 3: Log Information File

It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.


Figure 4: HWID

The folder also contains a zip file and folder of all the collected data. After it runs and collects the information, it will contact the command and control (C2) server and send the zipped file (more information in networking section). While the file has the ability to delete itself after running, the file remained on the system during analysis and no further activity was seen.


Figure 5: Folder Contents

The information stealer has the ability to collect passwords, cookies and forms from the following browsers: Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex. It then stores the data in %appdata%/local/{hwid}/Browsers.


Figure 6: Stored Web Data

The malware also collects the files with the following extension: .txt .doc .docx and .log. It looks for these extensions on the desktop, railway, drives, documents folder.


Figure 7: Take Files

It can attempt and collect data from FileZilla servers.


Figure 8: FileZilla

The malware will also steal cryptocurrency files “wallet.dat” (btc, electrum, ltc, eth, bcn, DSH, XMR, ZEC).


Figure 9: Crypto

Telegram, Discord, and Pidgin Sessions are also collected.


Figure 10: Pidgin

The file contains a base64 encoded mutex.


Figure 11: Mutex

The malware uses “IPLogger.org” to track and log detected virtual machine IPs.

Figure 12: Track VMs

Steam (gaming Social Media network) community data is collected by the stealer.

Figure 13: Steam Data

The log information file is a text file that contains the stealer version, number of passwords, cookies and forms collected.


Figure 14: Stealer Information

The log file also contains information on the operating system, screen resolution and the active account the user is on and the date/time and for how long the malware ran .


Figure 15: Windows Version

Networking:
The user/actor has the option to send logs to Telegram via upload to a C2 server or change code and use their own networking information. If users use the default method to have the exfil sent to Telegram, the malware will make two POST.
The first POST sends hardware ID (hwid) and other information in a string to the C2.


Figure 16: POST String

The second POST is the exfil of the stolen data in a zip folder. The name of the zip folder will be the hwid.


Figure 17: POST

After the POST, the server responds with “Use Version php 7.0/7.2″

Figure 18: Response

It appeared the malware developer had not updated to the latest php version and the site was experiencing issues. However, at the time of analysis, you are still able to view the index of the site.

Figure 19: Index of Site

The Actor Behind the Malware:
During analysis, TRT analysts were able to find the possible actor behind the malware and accounts associated with him, based on information left inside the payload.

The payload references “@arcanee_bot”. Open source research revealed there is both a Twitter account and Telegram account linked to this name. The activity in both confirms it’s related to this malware. The Telegram support page is here https[://]t.me/ArcaneSupport and https[://]t.me/arcanee_bot.

The Telegram account has a user Sakari, which appears to be the main actor associated with this malware. The developer that is mentioned in the payload is “@SakariHack”

Figure 20: Sakari Profile

This actor has the malware for sale on the website http[://]sakarilogs.websell[.]org along with the other mentioned forums he advertises. These can be accessed on the regular internet or TOR. He also advertises on lolzteam[.]net on the darkweb.

Figure 21: Sakari on Darkweb

Sakari is active on a number of sites. One site lists his possible age and birthdate (February 4, 1998 (Age: 21)). In another forum (yougame[.]biz), he talks about having epilepsy, change to “medical issues”, and being offline for a short time due to its issues. On the same forum, he advertises his malware.


Figure 22: Sakari on yougame.biz

Other possible aliases for Sakari are:

  • SEK1R
  • Кичкас

Possible location:

  • Karasuk

Also mentioned in the payload and listed as support (see Figure 4 above), was the handle “@es3n1n”. This handle can be found on Twitter and Telegram.
Both the developer and support handles were found on yet another forum. The infostealer steals Steam Community creds (an online gaming forum) and the handles mentioned in the malware can be found on the same site.

Figure 23: Aliases

Conclusion
Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats. Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors; however, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.

Arcane Stealer will likely be delivered via phishing attempts, therefore as always, email vigilance and proper security awareness may help limit compromise by actors attempting to use Arcane Stealer. The below chart illustrates the overall risk posed by the actor, Sakari, based off observed and assessed Capabilities and Intent using the TRT Adversary Threat Matrix.

Appendix I:

IOC
104.27.172.230 (arc.h-s[.]site)
104.27.173.230 (arc.h-s[.]site)
104.27.191.129 (arcane.es3n[.]in)
104.27.190.129 (arcane.es3n[.]in)
207.180.215.208 (Sw1.k1[.]com[.]ua/g.php)
91.223.123.252 (sex-wife[.]info/arcane/recv.php)

Yara
rule arcane_stealer
{
meta:
hash = “4917E296103AD1FF7A4AF440FACE8775”

strings:
$sig = “Arcane Stealer” wide nocase
$cred = “filezilla” ascii wide nocase
$cred2 = “discord” ascii wide nocase
$cred3 = “bcoin” ascii wide nocase
$cred4 = “\\Browsers\\Passwords.txt” nocase wide
$cred5 = “pidgin” ascii wide nocase
$cred6 = “telegram” ascii wide nocase
$cred7 = “steam” ascii wide nocase
$cred8 = “Accounts.txt” wide nocase
$cred9 = “pidgin.txt” wide nocase
$cookie = “\\Google\\Chrome\\User Data\\Default\\Cookies” nocase wide
$cookie2 = “\\Opera Software\\Opera Stable\\Cookies” nocase wide
$cookie3 = “\\Kometa\\User Data\\Default\\Cookies” nocase wide
$cookie4 = “\\orbitum\\User Data\\Default\\Cookies” nocase wide
$cookie5 = “\\Comodo\\Dragon\\User Data\\Default\\Cookies” nocase wide
$cookie6 = “\\Amigo\\User\\User Data\\Default\\Cookies” nocase wide
$cookie7 = “\\torch\\User\\User Data\\Default\\Cookies” nocase wide
$wmi = “SELECT * FROM AntiVirusProduct” nocase wide
$wmi2 = “SELECT * FROM Win32_Processor” nocase wide
$wmi3 = “SELECT * FROM Win32_VideoController” nocase wide
$wmi4 = “SELECT * FROM Win32_ComputerSystem” nocase wide
$os = /Windows (7|8|10|Server)/ nocase wide
$base64 = “VGtSbk0wMUVZek5QVkdNeA==” nocase wide
$base642 = “VFVFOVBRPT0=” nocase wide
$str = “monero” wide nocase
$str2 = “ethereum” wide nocase
$str3 = “bitcoincore” wide nocase
$str4 = “wallet_path” wide nocase
$str5 = “delete.bat” wide nocase
$str6 = “epicgames.com;steamcommunity.com;store.steampowered.com;blizzard.com;battle.net” wide nocase
$str7 = “Detected Virtual Machine” wide nocase
$vm = “vmware” wide nocase
$vm1 = “virtualbox” wide nocase

condition:
uint16(0) == 0x5a4d and $sig and 7 of ($cred*) and 4 of ($cookie*) and 2 of ($wmi*) and $os and any of ($base64*) and 4 of ($str*) and any of ($vm*) and new_file
}

 

Appendix II:
Assessment Writing Styles and Meanings
Confidence is a judgment based on three factors:

  1. Strength of knowledge base, to include the quality of the sources and our depth of understanding about the issue
  2. Number and importance of assumptions used to fill information gaps
  3. Strength of logic underpinning the argument, which encompasses the number and strength of analytic inferences as well as the rigor of the analytic methodology in the product

HIGH (green): Well-corroborated information from proven sources, minimal assumptions, and/or strong logical inferences
MODERATE (yellow): Partially corroborated information from good sources, several assumptions, and/or mixture of strong and weak inferences
LOW (red): Uncorroborated information from good or marginal sources, many assumptions, and/or mostly weak inferences

 

Browse our blog