3 min read

Microsoft Warns of ACR Stealer Attack Surge

Microsoft says ACR Stealer attacks are targeting enterprise browsers, documents, OneDrive, and SharePoint through ClickFix and fileless delivery chains.

Image: BleepingComputer

Microsoft has detected a surge in ACR Stealer attacks targeting enterprise customers, with the malware harvesting browser-stored passwords, authentication tokens, and sensitive documents. The campaigns ran from late April through mid-June and combined the ClickFix social-engineering technique with WebDAV servers and MSHTA, the Microsoft HTML Application Host utility.

ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranded version of Amatera Stealer.

How ACR Stealer reaches victims

Microsoft identified two particularly common intrusion chains. In the first, a ClickFix lure persuades the victim to run a command that launches a malicious DLL from a remote WebDAV share through rundll32.exe. Attackers use GUID-based directories and filenames such as google.ct to make the remote path resemble a legitimate resource and blend into normal network traffic.

After connecting to command-and-control infrastructure, the malware runs a heavily obfuscated PowerShell script. The attack chain can then:

Recommended reading

WordPress wp2shell RCE Exploits Are Now Public

  • Install a bundled Python loader
  • Create a scheduled task disguised as a software update
  • Manipulate file timestamps and clear PowerShell history
  • Inject the final payload into a system process for in-memory execution

Some variants use public blockchain services to retrieve updated payload locations or C2 addresses, a technique known as EtherHiding.

The second chain also begins with ClickFix, but launches MSHTA instead. MSHTA retrieves malicious content from the attacker’s server and runs an obfuscated PowerShell downloader. The malware then extracts an encrypted payload hidden inside a publicly hosted steganographic JPEG image and executes it directly in memory.

Overview of the ACR Stealer attacks — Source: Microsoft

Regardless of the delivery method, ACR Stealer is designed to collect:

  • Browser passwords, cookies, session data, and authentication tokens
  • Browser data decrypted through the Windows Data Protection API (DPAPI)
  • Databases from Chrome and Edge
  • PDFs and Microsoft 365 documents
  • Files in Desktop and Downloads folders
  • Enterprise-synchronized OneDrive and SharePoint directories

The stolen information is archived before exfiltration to the attacker. Microsoft said the two campaigns are among the most prevalent ACR Stealer delivery methods observed by Defender Experts, but warned that they do not cover the malware family’s full range of execution chains.

“These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family.”

Microsoft

Microsoft advises users not to copy and execute commands in interpreters when prompted to fix an error or verify that they are human. Organizations should filter web-based delivery chains, block low-reputation and newly registered domains, and limit access to online resources that are not required for business operations.

Application-control rules can also block PowerShell, Python, mshta.exe, and rundll32.exe from launching content hosted on remote resources, particularly from user-writable paths. Microsoft’s report includes additional mitigations and indicators of compromise for the observed ACR Stealer activity.

Test every layer before attackers do
Test every layer before attackers do
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

/ Keep reading