Guest Post: A Long List Of Arkei Stealer’s Crypto Browser Wallets According To Minerva Labs 

Arkei is an information-stealer, distributed as a malware as a service (MAAS). It collects sensitive information such as application passwords, credit card information, web browser cookies and can even download additional payloads from the C&C server. It also shares code with several other information stealers including Oski and Vidar.

Arkei Stealer’s main purpose is to collect passwords, cookies, auto-complete data, desktop files, machine data, installed software, etc. In 2021, Arkei’s authors extended its crypto wallet stealing capabilities, as well as the addition of anti-debugging and anti-emulation checks, to thwart its analysis and detection rates.

We analyzed a sample found by @James_inthe_box and created a complete list of the browsers and crypto browser wallets that Arkei Stealer tries to steal. 

First, let’s talk about the evasion techniques this stealer performs. Arkei performs two well-known anti-debugger checks:

1. It calls ntdll!NtQueryInformationProcess with ProcessInformationClass set to 7 (ProcessDebugPort) – this call returns a DWORD value equal to 0xFFFFFFFF ( –1 in decimal) if the process is being debugged:

anti-debugger check

Figure 1 – NtQueryInformationProcess anti-debugger check

2. Timing check using kernel32!GetTickCount function – when debugging in a single-step mode, a lag occurs while running the executable. Arkei checks a timestamp and compares it to another one after a few instructions, to check for a delay:

timing anti-debugger check

Figure 2 Timing anti-debugger check

Arkei Stealer employs another evasion technique (akin to Vidar stealer’s anti–emulation technique), which checks the computer name and the username running the Arkei executable. The malicious process will terminate itself if the computer name is “HAL9TH” and the username is “JohnDoe” (which is the default computer name and default username respectively of the Windows Defender emulator):

anti-emulator check

Figure 3 Anti-emulator check

To learn more about how Minerva Labs can protect your business contact us. 

Arkei also checks if any of the following DLL’s are loaded into the process:

  • avghookx.dll – AVG Internet Security.
  • avghooka.dll – AVG Internet Security.
  • snxhk.dll – Avast Antivirus.
  • sbiedll.dll – Sandboxie.
  • api_log.dll – CWSandbox.
  • dir_watch.dll – iDefense SysAnalyzer.
  • pstorec.dll – SunBelt Sandbox.
  • vmcheck.dll – VirtualPC.
  • wpespy.dll – Sandbox.
  • cmdvrt32.dll – COMODO Internet Security.
  • cmdvrt64.dll – COMODO Internet Security.

This stealer will terminate itself if the language identifier of the Region Format setting of the current user is one of the following:

  • 43Fh – Kazah
  • 443h – Uzbek – Latin
  • 419h – Russian
  • 82Ch – Azeri-Cyrillic
  • 423h – Belarusian 

This might indicate that the author comes from one of the above countries where it is a common technique, used in order to not draw the attention of the local authorities.

If all the above checks pass successfully, the malware will continue its intended purpose.

Arkei steals passwords, cookies, and autofill information from the following 32 web browsers:

Google ChromeChromium
Microsoft EdgeKometa
AmigoTorch
OrbitumComodo Dragon
NichromeMaxthon 5
SputnikVivaldi
CocCocUran
QIP SurfCentBrowser
ElementsTor
CryptoTabBrave
OperaOperaGX
OperaNeonFirefox
SlimBrowserPaleMoon
WaterfoxCyberfox
BlackHawkIceCat
KMeleonThunderbird

Arkei Stealer is one of the most threatening types of malware for cryptocurrency holders, due to the vast list of crypto browser wallets the malware can compromise and steal user’s assets from. Arkei steals these credentials by copying all the files stored in the browser’s extension folder. For example, if the victim uses Google Chrome with a crypto browser wallet extension, the extension files will be stored in:

  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Extension ID from Google Store
  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ Extension ID from Google Store
  • C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\Domain Name.indexeddb.leveldb

Arkei steals the data from the following crypto wallets:

Crypto browser walletExtension ID
TronLinkibnejdfjmmkpcnlpebklmnkoeoihofec
MetaMasknkbihfbeogaeaoehlefnkodbefgpgknn
Binance Chain Walletfhbohimaelbohpjbbldcngcnapndodjp
Yoroiffnbelfdoeiohenkjibnmadjiehjhajb
Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnid
Math Walletafbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallethnfanknocfeofbddgcijnmhnfnkdnaad
Guardahpglfhgfnhbgpjdenjgmdgoeiappafln
EQUA Walletblnieiiffboillknjnepogjhkgnoapac
Jaxx Libertycjelfplplebdjjenllpjcblmjkfcffne
BitApp Walletfihkakfobkmkjojpchpfgcmhfjnmnfpi
iWalletkncchdigobghenbbaddojjnnaogfppfj
Wombatamkmjjmmflddogmhpjloimipbofnfjih
MEW CXnlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWalletnanjmdknhkinifnkgdcggcfnhdaammmj
Saturn Walletnkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Walletfnjhmkhhmkbjkkabndcnnogagogbneec
NeoLinecphhlgmgameodnhkjdmkpanlelnlohao
Clover Walletnhnkbkgjikgcigadomkphalanndcapjk
Liquality Walletkpfopkelmapcoipemfendmdcghnegimn
Terra Stationaiifbnbfobpmeekipheeijimdpnlpgpp
Keplrdmkamcknogkgcdfhhbddcghachkejeap
Solletfhmfendgdocmcbmfikdcogofphimnkno
Auro Walletcnmamaachppnkjgnildpdmkaakejnhae
Polymesh Walletjojhfeoedkpkglbfimdfabpdfjaoolaf
ICONexflpiciilemghbmfalicajoolhkkenfel
Nabox Walletnknhiehlklippafakaeklbeglecifhad
KHChcflpincpppdclinealmandijcmnkbgn
Templeookjlbkiijinhpmnjffcofjonbfbgaoc
TezBoxmnfifefkajgofkcjkemidiaecocnkjeh
Cyano Walletdkdedlpgdmmkkfjabffeganieamfklkm
Byonenlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKeyinfeboajgfhgbjpjbeppbkgnabfdkdaf
LeafWalletcihmoadaighcejopammfbmddcmdekcje
DAppPlaylodccjjbdhfakaekdiahmedfbieldgik
BitClipijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychainlkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extensiononofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Clientbcopgchhojmggmffilplmbdicgaihlkp
ZilPayklnaejjgbibmhlephnhpmaofohgkpgkd
Coin98 Walletaeachknmefphepccionboohckonoeemg

The sample that we analyzed steals data pertaining to stored browser passwords and 2FA extensions such as:

  • Authenticator
  • Authy
  • EOS Authenticator
  • GAuth Authenticator
  • Trezor Password Manager

This malware takes advantage of the fact that an increasing number of employees use their organizations’ endpoints for day-to-day activities, such as online purchasing and cryptocurrency activities. Electronic wallets are becoming increasingly common, making it easier for end-users to expose the corporate network to external attacks.

Minerva Lab’s Hostile Environment Simulation Module prevents Arkei Stealer from executing on the victim’s PC, protecting the corporate network and user’s private data.

IOC’s:

Hashes:

  • 388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d – app59.exe

Domains:

References:

https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html

https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: