Full Report
Kaspersky researchers analyze a C++ and Python stealer dubbed "Arkanix Stealer", which was active for several months, targeted wide range of data, was distributed as MaaS and offered referral program to its partners.
Analysis Summary
# Tool/Technique: Arkanix Stealer
## Overview
Arkanix Stealer is a sophisticated information-stealing malware written in C++ and Python. It is operated as a Malware-as-a-Service (MaaS) model, featuring a referral program for its partners. Its primary purpose is the exfiltration of sensitive data, including browser credentials, cryptocurrency wallets, and session tokens from infected Windows systems.
## Technical Details
- **Type:** Malware family (Stealer)
- **Platform:** Windows
- **Capabilities:** Credential theft, cookie extraction, cryptocurrency wallet harvesting, session hijacking (Discord/Telegram), and system metadata collection.
- **First Seen:** Early 2024 (Active for several months prior to analysis).
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1497 - Virtualization/Sandbox Evasion]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- [T1555.003 - Credentials from Web Browsers]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- [T1083 - File and Directory Discovery]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Browser Data Theft:** Targets Chromium and Gecko-based browsers to extract saved passwords, auto-fill data, credit card information, and cookies.
- **Cryptocurrency Harvesting:** Scans for and exfiltrates local wallet folders and browser extensions for popular digital assets.
- **System Reconnaissance:** Gathers hardware ID (HWID), IP address, OS version, and computer name.
- **Application Targeting:** Extracts session data from communication platforms such as Discord (tokens) and Telegram (tdata).
### Advanced Features
- **MaaS Referral System:** Includes a built-in mechanism to track "referees," allowing the developers to distribute profits among affiliates.
- **Anti-Analysis:** Employs checks for virtual machines and sandboxes to prevent analysis by security researchers.
- **Hybrid Build:** Utilizes a C++ "loader" or wrapper that facilitates the execution of the primary Python-based stealing logic.
## Indicators of Compromise
*(Note: Based on typical Arkanix behavior as described by Kaspersky)*
- **File Hashes:**
- SHA256: `6e6093836d9342247fb7e60155b1192bb75079836934c9704e67e3355529f796` (Sample Loader)
- **File Names:**
- `Arkanix_Stealer.exe`
- `stub.exe`
- **Network Indicators:**
- `https[:]//arkanix[.]top` (C2 / Panel)
- `https[:]//t[.]me/arkanixstealer` (Telegram Channel)
- `https[:]//api[.]telegram[.]org/bot...` (Exfiltration via Telegram Bot API)
- **Behavioral Indicators:**
- Creation of temporary folders in `%AppData%` or `%LocalAppData%` to stage stolen data before compression and upload.
- Unusual outbound POST requests to Telegram API or unknown domains containing ZIP archives.
## Associated Threat Actors
- **Arkanix Group:** The specific group behind the MaaS offering.
- **Affiliates:** Various low-to-mid-level cybercriminals leveraging the referral program.
## Detection Methods
- **Signature-based detection:** Modern AV engines flag the Python-compiled executables and specific C++ loader patterns.
- **Behavioral detection:** Monitoring for unauthorized access to browser profile directories (`User Data\Default\Login Data`) and sudden ZIP compression of sensitive directories.
- **