Summary:
The AhnLab Security Intelligence Center (ASEC) has observed a significant increase in the distribution of ACRStealer infostealer malware, often disguised as cracks and keygens for illegal software. While LummaC2 has been the predominant infostealer distributed in this manner, ACRStealer's prevalence has risen sharply since the beginning of this year, with February's distribution volume mirroring January's and indicating a likely continued surge. ACRStealer employs a technique called Dead Drop Resolver to conceal its actual C2 server address. It leverages legitimate web platforms as intermediary C2s, similar to Vidar and LummaC2. The threat actor embeds the Base64-encoded actual C2 domain on a specific page of these platforms. The malware then accesses this page, decodes the string, and retrieves the C2 domain to carry out its malicious activities. These intermediary C2 pages have been hosted on various services, including Steam, telegra.ph, Google Docs (Forms), and Google Docs (Presentations). The actual C2 domain, obtained from the intermediary C2, is combined with a hardcoded UUID to create the URL for downloading the configuration data. The decrypted configuration data specifies targets for exfiltration, including browser data, text files, cryptocurrency wallet files, FTP server information, chat program information, email client information, remote program information, terminal program information, VPN information, password manager information, database (DB) information, and browser extension plugin information. It can also contain URLs for additional malware downloads, file extensions and paths to be exfiltrated, and IDs of target extension programs. Collected files may be compressed into ZIP format before being transmitted to the C2 server.

Security Officer Comments:
ACRStealer distinguishes itself through its flexible approach to utilizing intermediary C2s. It dynamically inserts C2 strings into diverse platforms, and the locations of these strings are constantly changing. For instance, while Steam previously hosted the C2 string in a visible area, it is now hidden within the ‘summary’ item, requiring access to the page source to be discovered. This adaptability suggests the threat actor will likely continue to exploit various platforms for their intermediary C2 infrastructure. The ongoing distribution of various infostealer malware, including ACRStealer, disguised as illegal software poses a significant threat. Users are strongly advised to avoid using illegal software and exercise extreme caution when downloading files from untrusted websites to mitigate the risk of infection.

Suggested Corrections:
IOCs are available here.

• Advanced Email Filtering: While the primary distribution vector here is illegal software downloads, email can still be used to lure victims to sites hosting these downloads. Filtering can help block emails promoting such software.
• Multi-Factor Authentication (MFA): MFA protects accounts after credentials have been stolen by the infostealer. Even if the malware grabs passwords, MFA can prevent account takeover.
• Regular Software Updates: While not directly addressing the distribution method, updated software patches reduce vulnerabilities that the infostealer might exploit after gaining access.
• Security Awareness Training: Training should emphasize the dangers of downloading software from untrusted sources, including cracks and keygens. It should also cover how to identify potentially malicious websites. This directly addresses the primary infection vector.
• Strong Password Policies: Complex, unique passwords make it harder for the infostealer to steal usable credentials. Password managers are highly recommended.
• Website Security: Less directly applicable in this scenario, as the attackers are leveraging legitimate platforms (Steam, Google Docs, etc.) for intermediary C2 communication. The issue is with the links to the malicious download sites, not necessarily the security of the intermediary platforms themselves. However, this is still important for general security posture.
• Incident Response Plan: Having a plan in place will help organizations react quickly and effectively if an ACRStealer infection is detected.
• Antivirus and Anti-Malware Software: This is a primary defense against the infostealer itself. The software should be able to detect and quarantine the malware upon execution.
• Firewall Protection: Firewalls can potentially block malicious network communication initiated by the infostealer, including communication with the C2 server.

Link(s):
https://asec.ahnlab.com/en/86390/