Video on YouTube that promote cheats games Concea Probably focusing on Russian users.
“What is intriguing in this malicious program is how much it collects,” Caspersorsky – Note In the analysis. “It seizes information about VPN and gaming customers, as well as all kinds of network utilities such as NGROK, Playit, CyberDuck, Filezilla and Dyndns.”
The attack networks provide for the sharing of the links to the archive, protected by the password on the YouTube video, which at the opening unpack the bath.bat package, which is responsible for obtaining another archive file via PowerShell.
Then the batch file uses PowerShell to launch two executable files, built into the recently uploaded archive, and disconnect Windows Smartscreen Afteryions and each root drive folder before the Smartscreen filter.
Of two binary files one – a miner cryptocurrency and the other is the theft called VGS, which is an option Feder Sorting for theft. As of November 2024, the attacks that replaced the VGS were detected.
“Although most of it was borrowed from other theft, we could not carry it by any of the famous families,” said the Russian cybersecurity campaign.
In addition to theft of login data, passwords, credit card data and files from different browsers based on chromium and gecko, Arcane is equipped to collect complex system data, as well as configuration files, settings and information about multiple applications, such as subsequent ones next- next- next The following- following- following, such as the following, such as the following,-
- Customers VPN: Openvpn, Mullvad, Nordvpn, IPVANISH, Surfshark, Proton, Hidemy.name, Pia, CyberGhost and Expressvpn
- Network Customers and Utilities: Ngrok, Playit, CyberDuck, Filezilla and Dyndns
- Messaging applications: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber and Viber
- Email customers: Microsoft Outlook
- Customers and Services Games: Customer Riot, Epic, Steam, Ubisoft Connect (Ex-Uplay), Roblox, Battle.net and Different Minecraft customers
- Crypto -Choshes: Zcash, Armory, Bytecoin, XAX, Exodus, Ethereum, Electrum, Atomic, Guarda and Coinomi
In addition, Arcane is designed to make screenshots of the infected device, list launch processes and list the stored Wi-Fi networks and their passwords.
“Most browsers generate unique keys to encrypt the sensitive data they store, such as entry, passwords, cookies, etc.,” Kaspersky said. “Arcane uses API data protection (DPAPI) to obtain these keys, which is characteristic of theft.”
“But Arcane also contains the executed Xaitax utility file, which it uses to hack the browser keys. To do this, the utility is dropped on the disk and launched, and the theft gets all the keys that are needed from the console output.”
Adding to its capabilities, malicious software the theft implements a separate method of extracting browsers based on chromium, which triggers a copy of the browser through debug.
Unknown threats behind the operation has since expanded its proposals to include a loader called Arcanaloader, which allegedly means downloading games, but instead provides malicious theft software. Russia, Belarus and Kazakhstan have become the main goals of the company.
“What’s interesting in this particular company is that it illustrates how flexible cybercrime is always updating its tools and methods of their distribution,” Caspersci said. “In addition, the stealing theft himself is fascinating from all the different data he collects, and the tricks he uses to receive the attackers want.”
