Detection Content: Arkei Stealer

Arkei Stealer is a variant of infostealer malware and its functionality is similar to Azorult malware: it steals sensitive information, credentials, and private keys to cryptocurrency wallets. The malware is sold on underground forums, and anyone can acquire and use both the “legitimate” version and the cracked version of Arkei Stealer, making it difficult to attribute attacks. 

The noisiest cyberattack using this infostealer can be considered the hacking of the GitHub account of one of the developers of the Syscoin cryptocurrency and the compromise of the official project repository in 2018 when the attackers replaced the official Windows client published on GitHub with a malicious version with the built-in Arkei Stealer, which remained unnoticed for several days. In 2019, this malware was actively spread using botnets, and more recently it was reported that Spamhaus Botnet continues to distribute the latest versions of the infostealer.

New samples appear regularly, and based on the recently discovered piece of malware the participant in Threat Bounty Program Lee Archinal developed detection content to uncover the presence of the threat on Windows systems: https://tdm.socprime.com/tdm/info/7uHa99YPouCi/3Oz7uHMBQAH5UgbBuMmh/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Credential Access, Discovery

Techniques: Command-Line Interface (T1059), Credential Dumping (T1003), Query Registry (T1012)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.