Cybersecurity researchers have identified a significant evolution in the ACRStealer information-stealing malware, which has been actively distributed since early 2024, featuring enhanced evasion techniques and sophisticated command-and-control (C2) communication methods.
The malware utilizes Google Docs and Steam as C2 infrastructure through a Dead Drop Resolver (DDR) technique, making detection considerably more challenging for security systems.
Advanced Evasion Techniques Implemented
The modified ACRStealer variant utilizes the Heaven’s Gate technique to execute 64-bit code within WoW64 processes, thereby effectively disrupting detection and analysis efforts.
This approach is convenient for evading security monitoring tools, though it limits functionality to systems with 64-bit processors.
The malware authors have implemented sophisticated network communication, bypassing traditional library-based monitoring by directly interfacing with the AFD driver using low-level NT functions such as NtCreateFile and NtDeviceIoControlFile.
Rather than utilizing standard libraries like WinHTTP and Winsock, the threat actors manually assemble HTTP structures for C2 communication, likely inspired by the open-source “NTSockets” project.
This implementation allows attackers to circumvent library-based network monitoring solutions that many security products rely upon.
The malware employs a clever deception technique by separating the host domain address in HTTP request headers from the actual IP address used for communication.
Security researchers have observed samples using legitimate domains including microsoft.com, avast.com, facebook.com, google.com, and pentagon.com as disguise hosts while communicating with entirely different IP addresses.
Encryption and Communication Evolution
ACRStealer’s configuration data utilizes dual-layer encryption, employing Base64 and RC4 algorithms with the key “852149723\x00”.
The C2 communication initially utilized CloudFlare hosting services but has evolved to include self-signed certificates when host modification techniques are applied.
Recent variants have introduced AES-256 (CBC) encryption for transmitted data, using embedded encryption keys and initialization vectors.
The communication protocol has undergone significant changes, transitioning from static URL paths to dynamic, randomly generated strings issued by the server during the initial connection.
This evolution includes a shift from GET to POST methods for configuration requests, utilizing JSON structures for data transmission.
The latest samples demonstrate advanced C2 communication where random endpoint paths are generated dynamically, requiring an additional handshake step in the communication process.
ProofPoint analysis indicates ACRStealer has been rebranded as AmateraStealer, with continuous feature updates making it one of the most active infostealer variants currently in circulation.
The malware maintains comprehensive data exfiltration capabilities, targeting browser data, cryptocurrency wallets, email accounts, cloud storage credentials, and various document formats while simultaneously serving as a delivery mechanism for additional malware payloads.
IOC
- 047135bc4ac5cc8269cd3a4533ffa846
- 09825dd40ba8ba3c1ce240e844d650a8
- 20fb6cc7760289d09071f6bbba6ac591
