A newly discovered malware campaign is leveraging YouTube to distribute a sophisticated stealer known as Arcane. This malicious software is being promoted through videos that advertise game cheats, showcasing the evolving tactics of cybercriminals who exploit popular platforms to disseminate malware. Arcane is particularly dangerous due to its comprehensive data collection capabilities, targeting a variety of applications including VPN clients, network utilities, and web browsers.

Distribution and Functionality

The malware distribution begins with YouTube videos that contain links to password-protected archives. Once these archives are unpacked, they reveal a batch file that downloads additional malware components using PowerShell. This batch file also disables Windows SmartScreen by adding all drive roots to the SmartScreen filter exceptions and altering registry keys to deactivate SmartScreen entirely. The malware subsequently executes files from the downloaded archive, which include a cryptocurrency miner and the Arcane stealer itself.

Targeted Applications

Arcane is adept at extracting sensitive information from various applications. According to security reports, it targets VPN clients such as OpenVPN, NordVPN, and ExpressVPN, as well as network utilities like ngrok and FileZilla. It also steals login credentials from browsers, including those based on Chromium and Gecko, by utilizing the Data Protection API (DPAPI) and an executable utility called Xaitax to decrypt browser encryption keys. Additionally, Arcane launches browsers with a remote-debugging-port argument to extract cookies from popular websites like Gmail and Steam.

  • VPN Clients: Targets include OpenVPN, NordVPN, and ExpressVPN.
  • Network Utilities: Affects applications such as ngrok and FileZilla.
  • Web Browsers: Steals credentials from Chromium and Gecko-based browsers.

ArcanaLoader and Target Audience

Following the initial discovery of Arcane, researchers noted a shift in distribution tactics with the introduction of ArcanaLoader. This loader, also advertised on YouTube channels, claims to download popular cracks and cheats but instead delivers malware. The loader provides a link to a Discord server where users can access updates and support. The attackers primarily target a Russian-speaking audience, as indicated by the language used in their communications and the geographical distribution of victims, mainly in Russia, Belarus, and Kazakhstan.

The link has been copied!