Arkei

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Type
Stealer
Origin
ex-USSR
First seen
21 May, 2018
Last seen
15 March, 2023
Also known as
ArkeiStealer
Global rank
32
Week rank
50
Month rank
26
IOCs
16092

What is Arkei malware

Arkei is a stealer designed to exfiltrate information from infected systems. Typical for this malware type, it is distributed using Malware-as-a-Service (MaaL) model, which means that anyone can use the malware with minimal technical knowledge — all you need is to purchase access to a control pane from a website that sells the service.

This malware — which is written in C++ — targets Windows systems and is considered a medium impact and medium risk threat.

Having been around since 2018, Arkei has become popular among adversaries: not only is it widely used, but it has spawned several forks including Mars, Oski, and Vidar stealer, which we have covered before in the ANY.RUN trends trackers.

Arkei is capable of retrieving a variety of information from infected machines, including:

  • Form autosaves stored in the browser
  • Login and passwords
  • Files
  • Cryptocurrency wallets

Cryptocurrency owners are at the highest risk and are the main targets of Arkei. It can extract data from around 40 crypto wallet extensions, including MetaMask that accounts for over 80% of web3 wallet usage.

The stealer also targets more than 30 web browsers, including Chrome, Firefox, Microsoft Edge, Opera, Brave, and TOR.

Arkei can also target 2FA extensions, a capability it has had roughly since the beginning of 2022. It's unclear how attackers are planning to use this data, but it's certain that this development could pose new risks for both corporate and private users.

The specific data types that the malware targets depend on its configuration file — a ​​Base64-encoded file with the .PHP extensions — and will vary from campaign to campaign. The attacker can use it to set Arkei's behavior with custom rules, and target specific information.

It is important to note that Arkei terminates execution on machines from the ex-USSR regions.

The stealer identifies the region by accessing the language identifier of the Region Format setting. This behavior is typical for malware originating from the ex-USSR territories, which gives an insight into Arkei’s origin.

Arkei is equipped with multiple evasion techniques that help it avoid detection. For example, it checks that the computer name is not set to ​ “”HAL9TH”” and the username to “”JohnDoe” — these are the default settings of the Windows Defender emulator. It also checks if several DLLs are loaded in a process against a list of antivirus and emulation software.

Once it's time to gather the data, Arkei compiles its findings into a .zip archive, gives it a random 12-character name, and sends it to its control server. In addition to the information specified by the config file, it captures a system screenshot and extracts system information.

How to get more information from Arkei malware

You can obtain Arkei’s malware configurations in the ANY.RUN's sample.

Malware configuration of Arkei stealer Figure 1: Arkei configuration automatically extracted by ANY.RUN

Users can access comprehensive malware configuration data on ANY.RUN interactive online sandbox in as little as 10 seconds after starting the sandbox. There's no need to wait for the emulation to finish running.

Arkei execution process

After a system is infected, a TCP connection is established with the hacker's remote server. The server sends encoded Base64 parameters to the malware, including search path templates and file search masks. Using these parameters, the malware determines which information it needs to steal from the victim's computer.

The malware then requests the libraries necessary for its operation from the remote server. These libraries are sent as ZIP archives.

Subsequent communication with the server involves sending stolen files to the C2 server. Some threat actors use packing techniques on Arkei samples (T1027.002) to avoid detection by signatures. An example of this behavior can be seen in this task we recorded in ANY.RUN.

After launching the packed sample, the AppLaunch.exe process is created in the system, which is part of the .NET Framework. The malicious code is then injected into this process.

Distribution of Arkei

Arkei finds its victims in a number of ways. It’s delivered with malicious email campaigns in infected attachments, distributed through malicious ads, and is sometimes found in cracked software.

Adversaries use trojan horse tactics to entice potential victims into installing Arkei to their systems: social engineering techniques can be utilized, such as offering a free version of a premium software.

Arkei has also been tied to campaigns utilizing SmokeLoader — an advanced modular malware used to gain an initial foothold in the system and drop other executables. Although Smoke Loader, as you probably have guessed from its name, is primarily used as a loader, it can be armed with information stealing functionality itself — double the threat, when used together with Arkei.

Conclusion

Arkei is a that poses a significant risk to users' sensitive data, particularly crypto wallets.

But users can keep their login and password information, files, and 2FA data secure by following these best practices:

  • Avoiding clicking on suspicious links
  • Being vigilant with emails from unknown senders
  • Staying clear from lurid ads
  • Being mindful where they download software from

You can identify and analyze threats like Arkei — and more — in a matter of minutes using ANY.RUN’s interactive sandbox. Sign up for a demo!

IOCs

IP addresses
185.215.113.89
18.205.93.2
18.205.93.0
54.159.203.55
81.177.140.221
185.4.65.203
185.104.114.24
185.104.45.64
45.34.7.20
163.123.142.146
46.23.109.174
50.63.202.41
185.50.25.37
194.87.218.26
194.87.218.39
80.66.64.204
92.53.96.121
62.204.41.179
188.114.96.3
188.114.97.3
Hashes
720a55a4a626fa83be8c819cdcdf0c6f5ddeb51b15801f206f97874d0af47748
3934491e76ff0a3ed018a035074682035ea730a0ce1b3ebf70fb704c13f95735
6872b7507aef1564a4e9617dbe3a6c418c926f4ab05b97b96ff7656d4f4eb41b
fa9e1a668d6b2febcdaef737e4aaab0eba8d5a5d3eb8fbada4b1865e3179a133
ccc3cdfb5c6b4301b3e88dc7a88d1b6a6868b9ff2dad6076e19e13798a195cc9
4ff28bcbe2f1218f5f2ac012985e8aae52f074d58ac609f9fb0476dda5da3c53
5aaf4f8fbb588f520f161ff0551a6a9c51cdb8c56f7811c8c1881f99d99cc81b
b51cc06de8ee584446296b128032ef06d8bbac78d6a6da2ddda5449d6bf23e42
f22ce3349f795e98b9d048ba3a1cd051457b331995aad3564c3af44bbff0c829
648614b9ab6b19572f0f7c8ec9692c4b247ed632c2bb07ea630d392c4ab10164
7be79f5b858586080d4a4e3d27595011cfa294dd849b45cc788d161f6f6f6cf5
5227be65992117f451f23c8f4101a4816b97ec42c9530e89b11ba6faf7d91452
b5f582b49d200b8fcb116877761d58fcfc5781db1c07981d5c0ad457dc4ff8de
2a2ba6df25aafc858c871918748204f6f47fb4b35919d189e05783b01caa1ba9
3adabe77aacd0a1628041ee106e27377b5b5f677db880ce59727a0b17bb82da4
ffc0fab595892c2b32e5a664b5ac8704c5c8486eb65c80ff75268e2f6f0bd4f1
fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea
9f919e45c9f468bc5dca6db3a0e2a4c905e97464bc2d99d01cb557e0fa94f846
07501ad21680354b0d2088a985a55796f86a8b7feb66313c1e13fc17a8b5fefc
45b2ef159f079f93c08c8345ee47b85f48e4c39b20cbd28231272b648b2a277b
Domains
www.placeholder.com
www.sports-stream.site
cl0udh0st1ng.com
cdn.ordersify.com
collections-add-to-cart.incubate.dev
cdn.logrocket.io
temp-mail.org
cdn.useinfluence.co
i.imgfv.com
www.ostlon.com
eltem.iptime.org
elx01.knas.systems
soledaddemo.pencidesign.net
qoob.name
pastehub.net
gamerarcades.com
controlc.com
redirect2719.com
seulink.net
lyksoomu.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy