Threat Research

Trade with caution – bad guys are stealing

Securonix

ThreatLabz uncovered a campaign where threat actors use a backdoored TradingView Desktop installer to drop SmokeLoader, which then retrieves ArkeiStealer. The operation combines a fake TradingView domain, a Windows Installer masquerade, and dynamic config to harvest browser and wallet data while communicating with a SmokeLoader C2. #ArkeiStealer #SmokeLoader #TradingView #MineBridgeRAT

Keypoints

  • ArkeiStealer is distributed through MaaS-style information stealers and is actively updated with various initial attack vectors.
  • The campaign uses a Windows Installer masquerading as TradingView Desktop, backdoored with SmokeLoader to drop ArkeiStealer.
  • A look-alike TradingView domain (tradingview.business) and a fake TradingView download site are used to lure victims.
  • Threat actors registered a look-alike domain ahead of the legitimate TradingView release and relied on quick deployment.
  • Threat actors beacon to a SmokeLoader C2 at 85.208.136.162, with a low domain reputation and newly registered domain indicators.
  • ArkeiStealer payloads are downloaded from multiple URLs and install DLLs to read data from browsers and wallets.
  • The attack chain included DuckDuckGo searching for TradingView, a backdoored Windows app, SmokeLoader C2 traffic, and ArkeiStealer data exfiltration.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Benign windows process is dropping new PE files. “Benign windows process is dropping new PE files”
  • [T1574.002] DLL Side-Loading – DLL Side-Loading. “Tries to load missing DLLs”
  • [T1055] Privilege Escalation – Injects code into the Windows Explorer. “Injects code into the Windows Explorer”
  • [T1036] Defense Evasion – Creates files inside the user directory. “Creates files inside the user directory”
  • [T1070.004] File Deletion – Deletes itself after installation. “Deletes itself after installation”
  • [T1497] Virtualization/Sandbox Evasion – Checks for kernel code integrity. “Checks for kernel code integrity”
  • [T1564.001] Hidden Files and Directories – Hides that the sample has been downloaded from the Internet. “Hides that the sample has been downloaded from the Internet”
  • [T1010] Discovery – Application Window Discovery. “Application Window Discovery”
  • [T1057] Process Discovery – Verifies the name of parent process. “Verifies the name of parent process”
  • [T1082] System Information Discovery – Gathers system OS version info. “Gathers system OS version info”
  • [T1518.001] Security Software Discovery – Checks if the current machine is a virtual machine. “Checks if the current machine is a virtual machine”; Checks if the current process is being debugged. “Checks if the current process is being debugged”
  • [T1071] Application Layer Protocol: Web protocol – Posts data to web server. “Posts data to web server”; C2 URLs/IPs found in malware configuration. “C2 URLs/IPs found in malware configuration”
  • [T1095] Non-Application Layer Protocol – Tries to download or post to a non-existing http route. “Tries to download or post to a non-existing http route”
  • [T1105] Ingress Tool Transfer – Some HTTP requests failed with 404. Part of communication protocol. “Some HTTP requests failed with 404. Part of communication protocol”

Indicators of Compromise

  • [IP] C2 and related infrastructure – 85.208.136.162, 95.217.31.208
  • [Domain] Look-alike and distribution domains – tradingview.business, sxvlww.am.files.1drv.com
  • [URL] Fake TradingView download URL – hxxps://tradingview[.]business/download.php
  • [URL] ArkeiStealer payload distribution URLs – 212[.]8[.]246[.]70/builds/still[.]exe, 212[.]8[.]246[.]70/builds/installer[.]exe, 212[.]8[.]246[.]70/builds/bot[.]exe
  • [URL] Fake TradingView application distribution domain – tradingvlev_x32_x64bit.zip?download&psid=1
  • [File name] Fake TradingView Desktop Application – TradingVlev_x32_x64bit.exe, TradingVlev_x32_x64bit.zip
  • [MD5] 467d42eca35c0571c30d3f20700d9dff, fc99ea424df48f2b661219b71f33b979
  • [SHA1] e26512838e6ffb8af84743ae37821694cd380003, 1a70718eefa2aef42f4b09577aea7b43ff874e02
  • [SHA256] 9abdfcea109db4763065fee6d3e87299f03f57dba0307c67ad10cd86f0f2acf3, f4c166dddefd29eb457d0a7b426928b1123626c6c1568bc998440dac72a816b7

Read more: https://www.zscaler.com/blog/security-research/trade-with-caution