Cybersecurity researchers have identified a significant evolution in the ACRStealer information-stealing malware, which has been actively distributed since early 2024, featuring enhanced evasion techniques and sophisticated command-and-control (C2) communication methods.
The malware utilizes Google Docs and Steam as C2 infrastructure through a Dead Drop Resolver (DDR) technique, making detection considerably more challenging for security systems.
The modified ACRStealer variant utilizes the Heaven’s Gate technique to execute 64-bit code within WoW64 processes, thereby effectively disrupting detection and analysis efforts.
This approach is convenient for evading security monitoring tools, though it limits functionality to systems with 64-bit processors.
The malware authors have implemented sophisticated network communication, bypassing traditional library-based monitoring by directly interfacing with the AFD driver using low-level NT functions such as NtCreateFile and NtDeviceIoControlFile.
Rather than utilizing standard libraries like WinHTTP and Winsock, the threat actors manually assemble HTTP structures for C2 communication, likely inspired by the open-source “NTSockets” project.
This implementation allows attackers to circumvent library-based network monitoring solutions that many security products rely upon.
The malware employs a clever deception technique by separating the host domain address in HTTP request headers from the actual IP address used for communication.
Security researchers have observed samples using legitimate domains including microsoft.com, avast.com, facebook.com, google.com, and pentagon.com as disguise hosts while communicating with entirely different IP addresses.
ACRStealer’s configuration data utilizes dual-layer encryption, employing Base64 and RC4 algorithms with the key “852149723\x00”.
The C2 communication initially utilized CloudFlare hosting services but has evolved to include self-signed certificates when host modification techniques are applied.
Recent variants have introduced AES-256 (CBC) encryption for transmitted data, using embedded encryption keys and initialization vectors.
The communication protocol has undergone significant changes, transitioning from static URL paths to dynamic, randomly generated strings issued by the server during the initial connection.
This evolution includes a shift from GET to POST methods for configuration requests, utilizing JSON structures for data transmission.
The latest samples demonstrate advanced C2 communication where random endpoint paths are generated dynamically, requiring an additional handshake step in the communication process.
ProofPoint analysis indicates ACRStealer has been rebranded as AmateraStealer, with continuous feature updates making it one of the most active infostealer variants currently in circulation.
The malware maintains comprehensive data exfiltration capabilities, targeting browser data, cryptocurrency wallets, email accounts, cloud storage credentials, and various document formats while simultaneously serving as a delivery mechanism for additional malware payloads.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…