Guest Post: A Long List Of Arkei Stealer’s Crypto Browser Wallets According To Minerva Labs
Arkei is an information-stealer, distributed as a malware as a service (MAAS). It collects sensitive information such as application passwords, credit card information, web browser cookies and can even download additional payloads from the C&C server. It also shares code with several other information stealers including Oski and Vidar.
Arkei Stealer’s main purpose is to collect passwords, cookies, auto-complete data, desktop files, machine data, installed software, etc. In 2021, Arkei’s authors extended its crypto wallet stealing capabilities, as well as the addition of anti-debugging and anti-emulation checks, to thwart its analysis and detection rates.
We analyzed a sample found by @James_inthe_box and created a complete list of the browsers and crypto browser wallets that Arkei Stealer tries to steal.
First, let’s talk about the evasion techniques this stealer performs. Arkei performs two well-known anti-debugger checks:
1. It calls ntdll!NtQueryInformationProcess with ProcessInformationClass set to 7 (ProcessDebugPort) – this call returns a DWORD value equal to 0xFFFFFFFF ( –1 in decimal) if the process is being debugged:
2. Timing check using kernel32!GetTickCount function – when debugging in a single-step mode, a lag occurs while running the executable. Arkei checks a timestamp and compares it to another one after a few instructions, to check for a delay:
Figure 2 Timing anti-debugger check
Arkei Stealer employs another evasion technique (akin to Vidar stealer’s anti–emulation technique), which checks the computer name and the username running the Arkei executable. The malicious process will terminate itself if the computer name is “HAL9TH” and the username is “JohnDoe” (which is the default computer name and default username respectively of the Windows Defender emulator):
Arkei also checks if any of the following DLL’s are loaded into the process:
avghookx.dll – AVG Internet Security.
avghooka.dll – AVG Internet Security.
snxhk.dll – Avast Antivirus.
sbiedll.dll – Sandboxie.
api_log.dll – CWSandbox.
dir_watch.dll – iDefense SysAnalyzer.
pstorec.dll – SunBelt Sandbox.
vmcheck.dll – VirtualPC.
wpespy.dll – Sandbox.
cmdvrt32.dll – COMODO Internet Security.
cmdvrt64.dll – COMODO Internet Security.
This stealer will terminate itself if the language identifier of the Region Format setting of the current user is one of the following:
43Fh – Kazah
443h – Uzbek – Latin
419h – Russian
82Ch – Azeri-Cyrillic
423h – Belarusian
This might indicate that the author comes from one of the above countries where it is a common technique, used in order to not draw the attention of the local authorities.
If all the above checks pass successfully, the malware will continue its intended purpose.
Arkei steals passwords, cookies, and autofill information from the following 32 web browsers:
Google Chrome
Chromium
Microsoft Edge
Kometa
Amigo
Torch
Orbitum
Comodo Dragon
Nichrome
Maxthon 5
Sputnik
Vivaldi
CocCoc
Uran
QIP Surf
CentBrowser
Elements
Tor
CryptoTab
Brave
Opera
OperaGX
OperaNeon
Firefox
SlimBrowser
PaleMoon
Waterfox
Cyberfox
BlackHawk
IceCat
KMeleon
Thunderbird
Arkei Stealer is one of the most threatening types of malware for cryptocurrency holders, due to the vast list of crypto browser wallets the malware can compromise and steal user’s assets from. Arkei steals these credentials by copying all the files stored in the browser’s extension folder. For example, if the victim uses Google Chrome with a crypto browser wallet extension, the extension files will be stored in:
C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Extension ID from Google Store
C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ Extension ID from Google Store
Arkei steals the data from the following crypto wallets:
Crypto browser wallet
Extension ID
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
Binance Chain Wallet
fhbohimaelbohpjbbldcngcnapndodjp
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
Nifty Wallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Math Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUA Wallet
blnieiiffboillknjnepogjhkgnoapac
Jaxx Liberty
cjelfplplebdjjenllpjcblmjkfcffne
BitApp Wallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MEW CX
nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
Saturn Wallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
Clover Wallet
nhnkbkgjikgcigadomkphalanndcapjk
Liquality Wallet
kpfopkelmapcoipemfendmdcghnegimn
Terra Station
aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Auro Wallet
cnmamaachppnkjgnildpdmkaakejnhae
Polymesh Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex
flpiciilemghbmfalicajoolhkkenfel
Nabox Wallet
nknhiehlklippafakaeklbeglecifhad
KHC
hcflpincpppdclinealmandijcmnkbgn
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
Cyano Wallet
dkdedlpgdmmkkfjabffeganieamfklkm
Byone
nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey
infeboajgfhgbjpjbeppbkgnabfdkdaf
LeafWallet
cihmoadaighcejopammfbmddcmdekcje
DAppPlay
lodccjjbdhfakaekdiahmedfbieldgik
BitClip
ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain
lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension
onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client
bcopgchhojmggmffilplmbdicgaihlkp
ZilPay
klnaejjgbibmhlephnhpmaofohgkpgkd
Coin98 Wallet
aeachknmefphepccionboohckonoeemg
The sample that we analyzed steals data pertaining to stored browser passwords and 2FA extensions such as:
Authenticator
Authy
EOS Authenticator
GAuth Authenticator
Trezor Password Manager
This malware takes advantage of the fact that an increasing number of employees use their organizations’ endpoints for day-to-day activities, such as online purchasing and cryptocurrency activities. Electronic wallets are becoming increasingly common, making it easier for end-users to expose the corporate network to external attacks.
Minerva Lab’s Hostile Environment Simulation Module prevents Arkei Stealer from executing on the victim’s PC, protecting the corporate network and user’s private data.
This entry was posted on November 24, 2021 at 8:30 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: A Long List Of Arkei Stealer’s Crypto Browser Wallets According To Minerva Labs
Arkei is an information-stealer, distributed as a malware as a service (MAAS). It collects sensitive information such as application passwords, credit card information, web browser cookies and can even download additional payloads from the C&C server. It also shares code with several other information stealers including Oski and Vidar.
Arkei Stealer’s main purpose is to collect passwords, cookies, auto-complete data, desktop files, machine data, installed software, etc. In 2021, Arkei’s authors extended its crypto wallet stealing capabilities, as well as the addition of anti-debugging and anti-emulation checks, to thwart its analysis and detection rates.
We analyzed a sample found by @James_inthe_box and created a complete list of the browsers and crypto browser wallets that Arkei Stealer tries to steal.
First, let’s talk about the evasion techniques this stealer performs. Arkei performs two well-known anti-debugger checks:
1. It calls ntdll!NtQueryInformationProcess with ProcessInformationClass set to 7 (ProcessDebugPort) – this call returns a DWORD value equal to 0xFFFFFFFF ( –1 in decimal) if the process is being debugged:
Figure 1 – NtQueryInformationProcess anti-debugger check
2. Timing check using kernel32!GetTickCount function – when debugging in a single-step mode, a lag occurs while running the executable. Arkei checks a timestamp and compares it to another one after a few instructions, to check for a delay:
Figure 2 Timing anti-debugger check
Arkei Stealer employs another evasion technique (akin to Vidar stealer’s anti–emulation technique), which checks the computer name and the username running the Arkei executable. The malicious process will terminate itself if the computer name is “HAL9TH” and the username is “JohnDoe” (which is the default computer name and default username respectively of the Windows Defender emulator):
Figure 3 Anti-emulator check
To learn more about how Minerva Labs can protect your business contact us.
Arkei also checks if any of the following DLL’s are loaded into the process:
This stealer will terminate itself if the language identifier of the Region Format setting of the current user is one of the following:
This might indicate that the author comes from one of the above countries where it is a common technique, used in order to not draw the attention of the local authorities.
If all the above checks pass successfully, the malware will continue its intended purpose.
Arkei steals passwords, cookies, and autofill information from the following 32 web browsers:
Arkei Stealer is one of the most threatening types of malware for cryptocurrency holders, due to the vast list of crypto browser wallets the malware can compromise and steal user’s assets from. Arkei steals these credentials by copying all the files stored in the browser’s extension folder. For example, if the victim uses Google Chrome with a crypto browser wallet extension, the extension files will be stored in:
Arkei steals the data from the following crypto wallets:
The sample that we analyzed steals data pertaining to stored browser passwords and 2FA extensions such as:
This malware takes advantage of the fact that an increasing number of employees use their organizations’ endpoints for day-to-day activities, such as online purchasing and cryptocurrency activities. Electronic wallets are becoming increasingly common, making it easier for end-users to expose the corporate network to external attacks.
Minerva Lab’s Hostile Environment Simulation Module prevents Arkei Stealer from executing on the victim’s PC, protecting the corporate network and user’s private data.
IOC’s:
Hashes:
Domains:
References:
https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess
Share this:
Like this:
Related
This entry was posted on November 24, 2021 at 8:30 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.