Stealing capabilities
The malware supports collecting information from a variety of Chromium-based browsers, popular ones being Edge, Chrome, Opera, Vivaldi, Tor, Yandex etc. Collects data from a long list of browser extensions, most of them being Crypto/Wallet related. Some examples include ExodusWeb3, MetaMask, Binance, Oxygen, etc.
Wallet data from Exodus, Electrum, Etherium and a few others are also stolen. The stealer searches Desktop, Documents and Downloads folders for files with pre-configured extensions and containing certain keywords in their names. The malware then uploads files such found to the malicious server asynchronously while the rest of the stealing activity continues. Additional payload is fetched for collecting Chrome data. Discord tokens are stolen and if self-spreading is enabled, the malware sends itself to people in the contact list and in various channels.
System information collected includes operating system version, CPU and GPU information, memory capacity, screen resolution, keyboard layout, time zone information and installed Antivirus software. Browser history, Autofill information and stored credit card information is collected. Wi-Fi profiles are dumped by use of the ‘netsh wlan show profiles’ command. Clear test Wi-Fi passwords are stolen that way (via key=clear command line option for each profile available). VPN data from Mullvad, NordVPN, ExpressVPN and ProtonVPN are collected. Collected files are data are submitted to the malicious server via the route hxxps[://arkanix[.]pw/delivery. Additionally, an extra collector payload is fetched from the remote server and executed. The malicious server is not available at the time of writing this article and therefore, additional payloads could not be fetched for analysis.
