Skip to content

Microsoft Warns of Surge in ACR Stealer Attacks on Enterprise Customers

Microsoft has observed a significant increase in attacks using the ACR Stealer malware, which targets enterprise customers by stealing browser-stored passwords, authentication tokens, and sensitive documents. The threat actor uses various tactics to deliver the info-stealing payload, including ClickFix social-engineering methods, WebDAV servers, and the MSHTA utility.

Malware-as-a-Service Operation

ACR Stealer is believed to be a rebranding of the Amatera Stealer malware and operates as a malware-as-a-service (MaaS) operation. The threat actor uses multiple delivery methods, with two intrusion chains being the most prevalent. The first campaign starts with a ClickFix lure that executes a command to run a malicious DLL from a remote WebDAV share using rundll32.exe.

WebDAV Servers and PowerShell Scripts

The threat actor typically uses a GUID-based directory structure and filenames in the WebDAV path to mimic legitimate resources, making it difficult to detect. After establishing communication with the command-and-control (C2) infrastructure, a heavily obfuscated PowerShell script is executed to launch a malware installer and establish persistence. The routine installs a bundled Python loader, creates a scheduled task masked as a software update, manipulates timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution.

Public Blockchain Services Used as Dead-Drop Resolvers

Some variants of ACR Stealer use public blockchain services as dead-drop resolvers to obtain updated payload locations or C2 addresses. This technique is known as “EtherHiding” and allows the threat actor to maintain persistence even if the initial C2 infrastructure is taken down.

MSHTA Delivery Chain

The second delivery chain uses ClickFix to launch MSHTA, which retrieves malicious content from the attacker’s server and executes an obfuscated PowerShell downloader. The malware then extracts an encrypted payload concealed inside a publicly hosted steganographic JPEG image and executes it directly in memory.

Objectives of ACR Stealer

The objective of ACR Stealer remains stealing sensitive data, including passwords, cookies, session data, and authentication tokens stored on web browsers. The malware also decrypts browser data through the Windows Data Protection API DPAPI, accesses Chromium browser databases on Chrome and Edge, searches for PDFs and Microsoft 365 documents, collects files from the Desktop and Downloads folders, and targets enterprise-synchronized OneDrive and SharePoint directories.

Recommended Mitigations

Microsoft recommends that organizations reduce exposure to web-based delivery chains by enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations. Application control rules can restrict launching content from a remote resource using tools like PowerShell, Python, mshta.exe, or rundll32.exe, especially from user-writeable paths.

Conclusion

The surge in ACR Stealer attacks highlights the importance of robust security measures and regular threat intelligence updates. Organizations must remain vigilant and implement recommended mitigations to prevent such attacks from succeeding.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *