Skip Navigation
BlackBerry Blog

Arkei Infostealer: Defeated in Milliseconds by a 2015 BlackBerry Solution

Arkei Infostealer has upped its game. While cryptocurrency remains its primary target, new analysis reveals this flexible and stealthy infostealer has recently expanded its capabilities to also target Chrome-based browser extensions related to two-factor authentication (2FA) and multifactor authentication (MFA), as well as password management. This increases its risk to both corporate and private environments.

Often sold and distributed as Malware-as-a-Service (MaaS), Arkei infects Windows® operating system users. The use of SmokeLoader as a method of deployment for Arkei has been seen repeatedly and BlackBerry researchers are watching to see if this will develop into a trend among threat actors that use the infostealer.

One feature included in Arkei is a configuration file. This gives the malware more versatility in its application as it allows threat actors to customize the malware’s capabilities and easily change infection tactics. For instance, depending on what is enabled in the file, the malware could target saved password details, raid saved auto-complete forms, browser and extension data, pilfer saved credit card details and browser cookies, or a combination thereof and more.

Organizations typically affected:

  • Government
  • Commercial and professional service providers (legal, consulting, and healthcare)
  • Manufacturers of consumer durables (vehicles, computers, and televisions)
  • Organizations in the apparel industry
  • Telecommunication service providers
  • Organizations in the insurance industry

Arkei’s developers have incorporated a function where the malware will download legitimate files as it executes its attack. These files are often extremely common in corporate networks and on devices. While there are various possible reasons to include legitimate files, one is that they act as camouflage for the attack.

Arkei targets popular browsers, including Google Chrome™ and Firefox™, before it attempts to scrape data for exfiltration. One of Arkei’s more notable functions is its ability to steal data, like cryptocurrencies, from Google Chrome browser extensions. The infostealer also targets specific crypto wallets stored locally on a victim’s device by using a similar function to what researchers observed in BHunt malware.

BlackBerry classifies Arkei Infostealer as a potential medium impact and medium risk level threat to network security.

BlackBerry AI Stops Arkei Infostealer

Watch our demo video to see how a known and newly created variant of Arkei Infostealer are defeated by the BlackBerry® Endpoint Protection Platform (EPP) solution, CylancePROTECT®.

DEMO VIDEO: BlackBerry vs. Arkei Infostealer
 
Figure 1 – A known Arkei strain as well as a newly created sample attempt to infect the test system.
 
Figure 2 – Both the known Arkei sample and the new sample are stopped by CylancePROTECT in milliseconds – and before they can execute.
 

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. 

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 
 

Transcript

In this quick demonstration, we are going to test our temporal predictive advantage against Arkei Infostealer.

Here we have a known sample of this threat as well as a newly created Arkei payload.

On this test system, we have a Cylance® AI engine from October 2015, no operating system updates since 2016, and no internet connectivity.

Let’s try to execute our first, known Arkei sample. CylancePROTECT® stops Arkei in milliseconds and before it can execute.

Now, let’s try the brand-new sample. As we can see, the result is the same.

Prevention is Possible, with BlackBerry.

David Steinberg-Zwirek

About David Steinberg-Zwirek

David Steinberg-Zwirek is an Editorial Intern at BlackBerry.


Hector Diaz

About Hector Diaz

 Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.