Threat Research

Threat actors ride the hype for newly released Arc browser – ThreatDown by Malwarebytes

Securonix

Threat actors exploited the Arc browser hype with a malvertising campaign that delivers a multi-stage Windows payload disguised as Arc installer. The operation uses MEGA as a C2, hides code inside a PNG, and drops a bootstrap loader and JRWeb.exe, with several payloads downloaded from theflyingpeckerheads and other domains. Hashtags: #ArcBrowser #JRWebExe #theflyingpeckerheads #MEGA #Arc

Keypoints

  • Malvertising campaign impersonates Arc to drive users from Google search ads.
  • The threat actor impersonates Arc brand and registers domains used to redirect victims.
  • Malware payload is packaged as Arc for Windows but delivers a rogue installer and chained components.
  • Arc.exe communicates with the MEGA cloud platform as a command-and-control server, starting with a disposable email for authentication.
  • A multi-stage delivery includes bootstrap.exe, a PNG-hiding malicious code, and JRWeb.exe dropped on disk.
  • Code is injected into MSBuild.exe via a legitimate Python executable, illustrating process injection techniques.
  • Past delivery artifacts (domains, hashes, and C2 IP) are listed, highlighting indicators for detection and response.

MITRE Techniques

  • [T1189] Drive-by Compromise –
    …translated quote in English… “we saw a new malvertising campaign using Google search ads for Arc”
  • [T1036] Masquerading –
    …translated quote in English… “Threat actor immediately impersonates Arc brand” and “The threat actor already registered domain names that victims will be redirected to.”
  • [T1071.001] Web Protocols –
    …translated quote in English… “Arc.exe contacts the cloud platform MEGA via its developer’s API.”
  • [T1105] Ingress Tool Transfer –
    …translated quote in English… “a remote site to download the next stage payload: theflyingpeckerheads[.]com/bootstrap.exe”
  • [T1027] Obfuscated/Compressed Files and Information (Data Encoding) –
    …translated quote in English… “a series of queries and responses that are encoded, presumably with the user data.”
  • [T1055] Process Injection –
    …translated quote in English… “that uses a legitimate Python executable to inject code into MSBuild.exe.”
  • [T1027] Steganography –
    …translated quote in English… “a fake PNG image that hides malicious code.”

Indicators of Compromise

  • [Domain] decoy sites – ailrc[.]net, aircl[.]net
  • [Domain] malicious Arc installer and related domains – theflyingpeckerheads[.]com, revomedia[.]com
  • [File] Malicious installers – ArcBrowser.exe, 3e22ed74158db153b5590bfa661b835adb89f28a8f3a814d577958b9225e5ec1
  • [URL] Bootstrap and payload delivery – theflyingpeckerheads[.]com/bootstrap.exe, theflyingpeckerheads[.]com/924011449.png, 018dba31beac15518027f6788d72c03f9c9b55e0abcd5a96812740bcbc699304
  • [File] Final payload – JRWeb.exe, 6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
  • [IP] C2 server – 185.156.72[.]56
  • [Paste] C2 or config data – https://textbin[.]net/raw/it4ooicdbv

Read more: https://www.threatdown.com/blog/threat-actors-ride-the-hype-for-newly-released-arc-browser/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint