New Arcane Stealer Spreads via YouTube, Stealing VPN and Browser Login Credentials

A new malware campaign has been uncovered, involving a sophisticated stealer known as Arcane, which is distributed through YouTube videos promoting game cheats.

This campaign highlights the evolving tactics of cybercriminals, who continue to exploit popular platforms to spread malware.

The Arcane stealer is notable for its extensive data collection capabilities, targeting a wide range of applications including VPN clients, network utilities, and browsers.

Distribution and Functionality

The distribution method begins with YouTube videos that include links to password-protected archives.

Once unpacked, these archives contain a batch file that downloads additional malware components using PowerShell.

The batch file also disables Windows SmartScreen to evade detection by adding all drive roots to the SmartScreen filter exceptions and modifying registry keys to disable SmartScreen altogether.

The malware then launches executable files from the downloaded archive, which include a miner and the Arcane stealer itself.

Arcane is particularly adept at extracting sensitive information from various applications.

According to the SecureList Report, it targets VPN clients like OpenVPN, NordVPN, and ExpressVPN, as well as network utilities such as ngrok and FileZilla.

Additionally, it steals login credentials from browsers, including Chromium and Gecko-based browsers, using the Data Protection API (DPAPI) and an executable utility named Xaitax to crack browser encryption keys.

Arcane also secretly launches browsers with a remote-debugging-port argument to extract cookies from popular websites like Gmail and Steam.

ArcanaLoader and Target Audience

Following the discovery of Arcane, researchers observed a shift in distribution tactics with the introduction of ArcanaLoader.

This loader, advertised on YouTube channels, promises to download popular cracks and cheats but actually delivers malware.

The loader includes a link to a Discord server where users can access updates and support.

The attackers primarily target a Russian-speaking audience, as evidenced by the language used in their communications and the geographical distribution of victims, mainly in Russia, Belarus, and Kazakhstan.

The campaign underscores the adaptability of cybercriminals in using popular platforms to spread malware.

To protect against such threats, users should be cautious of suspicious software promotions and use robust security software to detect evolving malware.

The Arcane stealer’s ability to collect a broad spectrum of data makes it a significant threat, emphasizing the need for vigilance in online activities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free