A general-purpose info-stealing malware is poised to make a splash in cybercrime circles, thanks to its market niche: It’s positioned as an ideal tool for low-skilled adversaries looking to get some skin in the game without having a lot of expertise.
According to the Fidelis Threat Research Team (TRT), the Arcane Stealer V malware is an inexpensive .NET package – it goes for just $9 on the Dark Web.
Functionality-wise, it collects various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord and Pidgin. It also vacuums up passwords, cookies and forms from a variety of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex; steals Word and .txt documents; collects Steam gaming community data; logs detected virtual machine IPs; and harvests data from FileZilla servers.
Aside from the attractive price tag, Arcane Stealer V also woos those on the lower rung of the cybercrime sophistication ladder with a series of helpful GUI dashboards, and a support line available via the Telegram secure messaging service. The TRT team in a Thursday analysis saw that it also comes with various reports, such as statistics to showcase the potential amount of cash a user can “earn” with the malware within their specific geographic locations.
Interestingly though, it has no geofencing or language-targeting capabilities, and is clearly marketed as a non-discriminatory “spray and pray” tool, according to the report.
When it runs, the file collects the data, takes a screenshot and then it creates a text log file of what was collected. It generates a hardware ID that it uses as the folder name and zip folder name used to store the data, then beacons out to the command-and-control (C2) server to make a connection and send the zipped file along. After that, it goes dormant.
As for Arcane Stealer V’s author, TRT identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” used to discuss the malware’s build and distribution, all associated with the same Russian-language actor. The same handles are also used in the Steam gaming community. On the personal front, his profile on one site lists his age as 21 and references a struggle with epilepsy.
“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” according to the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”
TRT researchers said that he or she sells the malware on their own website and on the Lolzteam site on the Dark Web, and TRT saw several cracked versions available for download on multiple community discussion and file-sharing platforms, like gaming forums and MegaNZ.
While Arcane Stealer V is for now targeted at the lower end of the market, that could change, because the author does make available the raw code for sale too.
“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors,” TRT researchers said. “However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
