Arkei, a flexible information stealer, now expands to pilfer MFA data in addition to crypto-wallet information, using SmokeLoader as a deployment vector. Its configurable setup and use of legitimate components help it evade detection while exfiltrating data back to its C2, then cleaning up to avoid discovery. #Arkei #SmokeLoader #MaaS #MFA #2FA #CryptoWallets #BrowserExtensions #Exodus #MetaMask
Keypoints
- Arkei has expanded from stealing passwords and browser data to targeting multifactor authentication (MFA) data.
- SmokeLoader is used as the deployment downloader, with MaaS-style distribution and shared IOCs/URLs.
- The malware downloads legitimate DLLs from HTTP requests and loads them from %ProgramData% for its operations.
- A configurable file (Base64-encoded PHP) steers Arkei’s exfiltration targets and actions, enabling flexible data theft.
- Anti-emulation and regional checks (e.g., HAL9TH and several regional blocks) help Arkei evade analysis.
- Arkei targets a wide range of browsers, browser extensions (including 2FA/MFA), and crypto wallets to maximize data theft.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Arkei downloads components via HTTP GET requests to a malicious URL to obtain its payload. “On execution, Arkei will attempt to make several HTTP web-requests to a malicious URL. These GET HTTP Requests are designed to download known-legitimate components…”
- [T1071.001] Web Protocols – The downloader uses web requests to reach malicious servers and communicate with its C2. “These GET HTTP Requests are designed to download known-legitimate components” and “exfiltrate back to its command-and-control (C2) server.”
- [T1027] Obfuscated/Compressed Files or Information – The configuration is stored in a Base64-encoded file. “This file is a small Base64-encoded .PHP file.”
- [T1140] Deobfuscate/Decode Files or Information – The configuration data can be de-obfuscated using CyberChef. “Using the CyberChef tool, the data contained within the config file can be de-obfuscated.”
- [T1497] Virtualization/Sandbox Evasion – Anti-emulation and region checks prevent analysis. “Arkei will check both the region of the device and the computer name… terminate its execution chain.”
- [T1082] System Information Discovery – Collects system information in a system.txt file. “The system.txt file contains the following information about the victim’s device…”
- [T1112] Modify Registry – Registry keys related to Internet Settings are modified. “Registry Keys Modified … HKEY_CURRENT_USERS…Internet SettingsZoneMapProxyBypass” (and others)
- [T1555.001] Credentials in Web Browsers – Grabber targets browser data such as cookies, autofill, history, and passwords. “grabber … finds valuable information stored in Internet browsers” and “Cookies.txt, Autofill.txt, History.txt, CC.txt, Passwords.txt”
- [T1113] Screen Capture – Exfiltration includes a screenshot of the victim device. “it will also take a screenshot of the victim device…”
- [T1041] Exfiltration Over C2 Channel – Data is bundled and sent back to the C2. “exfiltrate back to its C2” and “folder named … 12 random letters and numbers” for the data set
Indicators of Compromise
- [C2 Addresses] 185[.]7[.]214[.]239:80/poendxychb[.]php, coin-file-file-19[.]com:80/tratata[.]php, tuntutul[.]link/gate1[.]php, googe[.]link/gate1[.]php, 85[.]208[.]185[.]13/kyhvowljlf[.]php, homesteadr[.]link/ggate[.]php, 37[.]252[.]15[.]126/dhbuc2mgys[.]php, panel[.]computer/gate[.]php
- [SQL Library Addresses] hXXp[:]//homesteadr[.]link/sqlite3[.]dll, hXXp[:]//tuntutul[.]link/sqlite3[.]dll, hXXp[:]//coin-file-file-19[.]com/sqlite3[.]dll, hXXp[:]//saskatche[.]link/sqlite3[.]dll, hXXp[:]//googe[.]link/sqlite3[.]dll, hXXp[:]//85[.]208[.]185[.]13/sqlite3[.]dll, hXXp[:]//homesteadr[.]link/sqlite3[.]dll, hXXp[:]//37[.]252[.]15[.]126/sqlite3[.]dll, hXXp[:]//panel[.]computer/public/sqlite3[.]dll
- [Files Created on System] C:ProgramDatasqlite3.dll
- [Files Modified on System] %AppData%LocalTempPH4EU37Q
- [Registry Keys Modified] HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapProxyBypass, HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapIntranetName, HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet, HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect
- [C2 Configurations (Base64 Encoded)] MHwwfDF8MXx8REVTS19URVNUNXwwfCVERVNLVE9QJVx8Ki50eHR8MXwwfDB8, MXwxfDF8MXx8RGlzY29yZHwwfCVBUFBEQVRBJVxkaXNjb3JkXExvY2FsIFN0b3JhZ2VcfCp8MXwwfDB8VGVsZWdyYW18MHwlQVBQREFUQSVcVGVsZWdyYW0gRGVza3RvcFx0ZGF0YVx8KkQ4NzdGNzgzRDVEM0VGOEMqLCptYXAqLCpjb25maWdzKnwxfDB8MHw=, MHwxfDF8MXwxfERFU0t8OTl8JURFU0tUT1AlXFx8Ki50eHQsKi5kb2N4LCpVVEMtLSouKiwqd2FsbGV0Ki4qLCptZXRhbWFzayouKiwqcHJpdmF0ZWtleSouKiwqbGVkZGUrKi4qLCpjYXJ0ZWlyYSouKiwqMmZhKi4qLCpvcGVuc2VhKi4qLCpleG9kdXMqLiA=, MXwxfDF8MXx8Q3J5cHRvfDB8JVVTRVJQUk9GSUxFJVxcfCoyZmEqLiosKnRva2VuKi4qLCpzZWVkKi4qLCpiaXRjb2luKi4qLCpidGMqLiosKmV0aCouKnwxfDF8MHw=, MXwxfDF8MXx8REVTS3wxMDB8JURFU0tUT1AlXFx8Ki50eHQsKlVUQy0tKi4qLCp3YWxsZXQqLiosKm1ldGFtYXNrKi4qfDF8MXwwfERPQ1N8MTAwfCVVU0VSUFJPRklMRSVcXERvY3VtZW50c1xcfCoudHh0LCpVVEMtLSouKiwqd2FsbGV0Ki4qLCptZXRhbWFzayouKnwxfDF8MHxET1dOfDEwMHwlVVNFUlBST0ZJTEUlXFxEb3dubG9hZHNcXHwqLnR4dCwqVVRDLS0qLiosKndhbGxldCouKiwqbWV0YW1hc2sqLip8MXwxfDB8
BlackBerry Assistance
If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment