Arkei is an information-stealer, distributed as a malware as a service (MAAS). It collects sensitive information such as application passwords, credit card information, web browser cookies and can even download additional payloads from the C&C server. It also shares code with several other information stealers including Oski and Vidar.

Arkei Stealer’s main purpose is to collect passwords, cookies, auto-complete data, desktop files, machine data, installed software, etc. In 2021, Arkei’s authors extended its crypto wallet stealing capabilities, as well as the addition of anti-debugging and anti-emulation checks, to thwart its analysis and detection rates.

We analyzed a sample found by @James_inthe_box and created a complete list of the browsers and crypto browser wallets that Arkei Stealer tries to steal.

First, let’s talk about the evasion techniques this stealer performs. Arkei performs two well-known anti-debugger checks:

1. It calls ntdll!NtQueryInformationProcess with ProcessInformationClass set to 7 (ProcessDebugPort) – this call returns a DWORD value equal to 0xFFFFFFFF ( –1 in decimal) if the process is being debugged:

 

anti-debugger check

Figure 1 – NtQueryInformationProcess anti-debugger check

 

2. Timing check using kernel32!GetTickCount function – when debugging in a single-step mode, a lag occurs while running the executable. Arkei checks a timestamp and compares it to another one after a few instructions, to check for a delay:

 

timing anti-debugger check

Figure 2 Timing anti-debugger check

 

Arkei Stealer employs another evasion technique (akin to Vidar stealer’s anti–emulation technique), which checks the computer name and the username running the Arkei executable. The malicious process will terminate itself if the computer name is “”HAL9TH”” and the username is “”JohnDoe”” (which is the default computer name and default username respectively of the Windows Defender emulator):

 

anti-emulator check

Figure 3 Anti-emulator check

 

To learn more about how Minerva Labs can protect your business contact us. 

 

Arkei also checks if any of the following DLL’s are loaded into the process:

  • avghookx.dll – AVG Internet Security.
  • avghooka.dll – AVG Internet Security.
  • snxhk.dll – Avast Antivirus.
  • sbiedll.dll – Sandboxie.
  • api_log.dll – CWSandbox.
  • dir_watch.dll – iDefense SysAnalyzer.
  • pstorec.dll – SunBelt Sandbox.
  • vmcheck.dll – VirtualPC.
  • wpespy.dll – Sandbox.
  • cmdvrt32.dll – COMODO Internet Security.
  • cmdvrt64.dll – COMODO Internet Security.

This stealer will terminate itself if the language identifier of the Region Format setting of the current user is one of the following:

  • 43Fh – Kazah
  • 443h – Uzbek – Latin
  • 419h – Russian
  • 82Ch – Azeri-Cyrillic
  • 423h – Belarusian

This might indicate that the author comes from one of the above countries where it is a common technique, used in order to not draw the attention of the local authorities.

If all the above checks pass successfully, the malware will continue its intended purpose.

Arkei steals passwords, cookies, and autofill information from the following 32 web browsers:

Google Chrome Chromium
Microsoft Edge Kometa
Amigo Torch
Orbitum Comodo Dragon
Nichrome Maxthon 5
Sputnik Vivaldi
CocCoc Uran
QIP Surf CentBrowser
Elements Tor
CryptoTab Brave
Opera OperaGX
OperaNeon Firefox
SlimBrowser PaleMoon
Waterfox Cyberfox
BlackHawk IceCat
KMeleon Thunderbird

 

Arkei Stealer is one of the most threatening types of malware for cryptocurrency holders, due to the vast list of crypto browser wallets the malware can compromise and steal user’s assets from. Arkei steals these credentials by copying all the files stored in the browser’s extension folder. For example, if the victim uses Google Chrome with a crypto browser wallet extension, the extension files will be stored in:

  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Extension ID from Google Store
  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ Extension ID from Google Store
  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\Domain Name.indexeddb.leveldb

Arkei steals the data from the following crypto wallets:

Crypto browser wallet Extension ID
TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn
Binance Chain Wallet fhbohimaelbohpjbbldcngcnapndodjp
Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid
Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUA Wallet blnieiiffboillknjnepogjhkgnoapac
Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne
BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet kncchdigobghenbbaddojjnnaogfppfj
Wombat amkmjjmmflddogmhpjloimipbofnfjih
MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj
Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine cphhlgmgameodnhkjdmkpanlelnlohao
Clover Wallet nhnkbkgjikgcigadomkphalanndcapjk
Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn
Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr dmkamcknogkgcdfhhbddcghachkejeap
Sollet fhmfendgdocmcbmfikdcogofphimnkno
Auro Wallet cnmamaachppnkjgnildpdmkaakejnhae
Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex flpiciilemghbmfalicajoolhkkenfel
Nabox Wallet nknhiehlklippafakaeklbeglecifhad
KHC hcflpincpppdclinealmandijcmnkbgn
Temple ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox mnfifefkajgofkcjkemidiaecocnkjeh
Cyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm
Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf
LeafWallet cihmoadaighcejopammfbmddcmdekcje
DAppPlay lodccjjbdhfakaekdiahmedfbieldgik
BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp
ZilPay klnaejjgbibmhlephnhpmaofohgkpgkd
Coin98 Wallet aeachknmefphepccionboohckonoeemg

 

The sample that we analyzed steals data pertaining to stored browser passwords and 2FA extensions such as:

  • Authenticator
  • Authy
  • EOS Authenticator
  • GAuth Authenticator
  • Trezor Password Manager

This malware takes advantage of the fact that an increasing number of employees use their organizations’ endpoints for day-to-day activities, such as online purchasing and cryptocurrency activities. Electronic wallets are becoming increasingly common, making it easier for end-users to expose the corporate network to external attacks.

Minerva Lab’s Ransomware Protection prevents Arkei Stealer from executing on the victim’s PC, protecting the corporate network and user’s private data.

 

IOC’s:

Hashes:

  • 388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d – app59.exe

Domains:

  • https://thecowbook[.]com – C&C server

 

References:

https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html

https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess