Microsoft Urges Caution as ACR Stealer Attacks Surge Against Customers

www.news4hackers.com-microsoft-urges-caution-as-acr-stealer-attacks-surge-against-customers-microsoft-urges-caution-as-acr-stealer-attacks-surge-against-customers

Microsoft reports a surge in ACR Stealer malware attacks targeting enterprise users, utilizing advanced techniques to steal sensitive data.

Overview of ACR Stealer Malware

Microsoft has observed a notable increase in malicious activities involving the ACR Stealer malware targeting enterprise users. The threat actor leveraged multiple techniques, including social-engineering tactics, WebDAV servers, and the MSHTA utility, between late April and mid-June to deploy the information-stealing payload.

Malware-as-a-Service Model

ACR Stealer operates as a malware-as-a-service (MaaS) model and is associated with the rebranding of the Amatera Stealer malware. The attack methodology involves two primary intrusion chains.

Attack Methodology

The first campaign employs a ClickFix lure to execute a malicious DLL from a remote WebDAV share using the rundll32.exe utility. Attackers utilize a GUID-based directory structure and filenames resembling legitimate resources, such as google.ct, to evade detection.

Initial Foothold and Persistence

Once the initial foothold is established, a heavily obfuscated PowerShell script is executed to deploy the malware installer, create persistence mechanisms, and inject the payload into a system process for in-memory execution. This process includes generating a scheduled task disguised as a software update, manipulating timestamps, and clearing PowerShell history.

Dead-Drop Resolvers

Some variants employ public blockchain services as dead-drop resolvers to retrieve updated payload locations or command-and-control (C2) addresses, a technique known as EtherHiding.

Second Delivery Chain

The second delivery chain uses ClickFix to trigger MSHTA, which fetches malicious content from the attacker’s server and executes an obfuscated PowerShell script. The malware extracts an encrypted payload hidden within a steganographic JPEG image and executes it directly in memory.

Malware Capabilities

Both methods aim to exfiltrate sensitive data, including browser-stored passwords, authentication tokens, session cookies, and Chromium browser databases. The malware also searches for PDFs and Microsoft 365 documents, collects files from user directories, and targets enterprise-synchronized OneDrive and SharePoint folders.

Defensive Measures

Microsoft highlights that these two campaigns represent the most common delivery methods but notes that additional techniques likely exist. The report emphasizes defensive measures such as avoiding execution of untrusted commands, enforcing domain filters, blocking low-reputation domains, and restricting access to non-essential online resources.

Application Control and Security Testing

Application control rules should limit the use of tools like PowerShell, Python, mshta.exe, and rundll32.exe from user-writeable paths. Organizations are advised to test security layers proactively to identify vulnerabilities before adversaries exploit them.

Conclusion

The report underscores the importance of comprehensive security strategies, as 54% of attacks go undetected, and only 14% trigger alerts. Mitigation efforts must address both technical and procedural gaps to reduce exposure to evolving threats.

Microsoft highlights that these two campaigns represent the most common delivery methods but notes that additional techniques likely exist.


Blog Image

About Author

en_USEnglish