Ddos 
G DATA
A new, rapidly evolving threat has entered the crowded landscape of malware-as-a-service. Researchers at G DATA have uncovered “Arkanix,” an information stealer that has quickly graduated from a basic Python script to a sophisticated C++ threat capable of bypassing modern browser security defenses.
The barrier to entry for cybercriminals continues to lower. According to the report, “The cyber security community has seen a constant surge of information stealers in the past few years.” Arkanix appears to fit a specific profile within this ecosystem: malware “designed for quick profit” , aimed at actors seeking “short-term quick financial gains.”
What makes Arkanix notable is its development speed. While the malware is “fairly older than a month”, it has already undergone a significant transformation.
The initial version was Python-based, packaged using Nuitka, a compiler that allows the malware to “generate a self-contained executable which can run without the need for installing additional files.” This version acts as a loader, fetching the actual malicious code from a remote server (hxxps[://]arkanix[.]pw/stealer.py) and running it from memory.
However, the developers have recently introduced a “Premium” version implemented in C++. This native version utilizes VMProtect for obfuscation and introduces advanced capabilities missing from the Python variant.
The most alarming feature of the Arkanix C++ build is its ability to defeat App-Bound Encryption (ABE), a security feature introduced in Chrome version 127 to prevent data theft by binding encrypted data to specific application identities.
To circumvent this, Arkanix employs a post-exploitation tool dubbed ‘Chrome Elevator.’ The report explains that this tool “uses process injection to inject a binary into the Chrome process and lets the injected code dump Chrome data by running in the context of the browser and thereby bypassing the ABE hurdle.”
Whether using the Python or C++ version, the goal of Arkanix remains the same: total information extraction. The malware targets a vast array of sensitive user data:
- Browsers & Wallets: It collects data from Chromium-based browsers (Edge, Chrome, Opera) and crypto-extensions like “Exodus Web3, MetaMask, Binance, Oxygen, etc.”.
- System & Network: It scrapes system hardware specs and dumps Wi-Fi profiles to steal “Clear test Wi-Fi passwords.”
- Gaming & VPNs: Premium options include stealing “VPN accounts, Steam accounts, screenshots,” and Wi-Fi credentials.
- Self-Spreading: The Python version includes a feature to spam Discord contacts, though this “Discord self-spreading functionality is missing” in the C++ binary.
The malware is aggressively advertised and distributed on Discord, often masquerading as “legitimate tools”. Access to the malware’s configuration web panel is gatekept, as “creating accounts for the web panel requires an invite code, which is obtained through a Discord chat.”
Related Posts:
- Chrome’s App-Bound Encryption Cracked: Open-Source Tool Bypasses Security Measure
- Google Chrome Strengthens Cookie Security on Windows with App-Bound Encryption
- Infostealers Overcome Chrome’s App-Bound Encryption, Threatening User Data Security
- The Safe C++ Extensions Proposal: Strengthening Security in a Complex Ecosystem
- Python is at the top of the list of the 2018 top programming languages
Donate