Full Report
AhnLab SEcurity intelligence Center (ASEC) monitors the Infostealer malware disguised as illegal programs such as cracks and keygens being distributed, and publishes related trends and changes through the Ahnlab TIP and ASEC Blog posts. While the majority of the malware distributed in this manner has been the LummaC2 Infostealer, the ACRStealer Infostealer has seen an […]
Analysis Summary
# Tool/Technique: ACRStealer
## Overview
ACRStealer is an Infostealer malware that has seen a recent increase in distribution, often disguised as illegal software (cracks and keygens). It utilizes a specific technique, Dead Drop Resolver (DDR), to obtain its actual Command and Control (C2) domains from legitimate web platform services acting as intermediary C2s.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied by targeted applications like browsers, wallets, etc.)
- Capabilities: Information theft (browsers, crypto wallets, FTP, chat, VPN, passwords), configuration retrieval, subsequent download of additional payloads.
- First Seen: Around June last year (relative to the article publication).
## MITRE ATT&CK Mapping
The observed behavior primarily falls under:
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1555 - Credentials from Password Stores
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Used for C2 communication)
- T1105 - Ingress Tool Transfer (For downloading additional malware/config)
## Functionality
### Core Capabilities
- **Information Exfiltration:** Steals sensitive data including browser data, text files (.txt), cryptocurrency wallet files (e.g., Exodus, Electrum, Ledger Live), FTP server credentials, chat program info (e.g., Telegram, Signal, WhatsApp), remote/terminal program info, VPN configuration, password manager data (e.g., Bitwarden, 1Password), database information, and browser extension plugin information.
- **Data Handling:** Collected files are compressed into ZIP format before transmission to the C2 server.
### Advanced Features
- **Dead Drop Resolver (DDR) C2 Obfuscation:** Uses legitimate web platform services (e.g., Steam, telegra.ph, Google Docs Forms/Presentations) as intermediary C2 servers to hide the true C2 domain.
- **Dynamic C2 Location Insertion:** Threat actors continuously change where the encoded C2 string is placed within the intermediary page source (e.g., moving from a visible area in Steam to the 'summary' item).
- **Encrypted Configuration Retrieval:** Retrieves configuration data using a hardcoded UUID combined with the resolved C2 domain. The configuration is encrypted using Base64 and XOR with a specific key (`852149723\x00`).
## Indicators of Compromise
- File Hashes:
- SHA256: `0966facf8c0f32eeaa303dab4b6ed59071a0038bd3f3f7c109ab58c7a02d67e3`, `09c823235ca17428d294825f8c5c005df6e333e69e7c3c41f9e9e03e96a25646`, `0d0ddb0fa6b48252bf7b42741ffce72548515182e5746830ba7412842a9c4b46`, `0d51d748c3d5130d86183ea04cfebf157d2547ad453b1d013240f2b088ef8eb6`, `0e4fc0dc26227b24849e2b4f7f1ebb1c65e1f012d75f1e952ff13ae4d6b33ad4`
- File Names: (Not explicitly listed for the dropper/loader, but implied to be disguised as cracks/keygens)
- Registry Keys: (Not explicitly listed)
- Network Indicators:
- Hardcoded Identifier UUID: `f1575b64-8492-4e8b-b102-4d26e8c70371`
- Configuration Download URL Format: `https://[C2]/ujs/[UUID]`
- Temporary C2 Domains involved in download/resolution (defanged): `2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop`, `2429568886dbdaba3fa935d7ae1125a1[.]stunnedfragiledioxide[.]shop`, `2429568886dbdaba3fa935d7ae1125aa[.]stunnedfragiledioxide[.]shop`, `a-bc[.]xyz`, `bolstermonoxideseventeen[.]shop`
- Behavioral Indicators: Accessing specific pages on Google Docs, Steam, or telegra.ph to parse Base64 encoded C2 information.
## Associated Threat Actors
- Threat actors distributing general Infostealers disguised as illegal software (Specific actors are not named, but the methodology is shared with Vidar and LummaC2).
## Detection Methods
- Signature-based detection: Using provided file hashes.
- Behavioral detection: Monitoring network connections attempting to resolve C2 domains through legitimate hosting platforms (DDR technique). Monitoring for data compression (ZIP) followed by outbound network transfer not associated with standard application behavior.
- YARA rules: (Not provided)
## Mitigation Strategies
- **Avoidance:** Users must strictly avoid downloading or executing cracked software or keygens from untrustworthy websites.
- **Network Monitoring:** Implement egress filtering and monitoring to detect connections to newly registered or suspicious domains, especially those attempting to pull configuration data after resolving through legitimate intermediary services.
- **Application Control:** Restrict the execution environment or tightly control processes that handle sensitive data (browsers, wallets) if system integrity is compromised.
## Related Tools/Techniques
- **LummaC2 Infostealer:** Shares the technique of using legitimate platforms as intermediary C2s (DDR).
- **Vidar Infostealer:** Also utilizes similar C2 communication/resolution methods.
- **Dead Drop Resolver (DDR):** The core C2 hiding technique employed.