AhnLab Security Intelligence Center reports on the rising threat of the ACRStealer infostealer malware, which is being distributed as illegal software. The malware uses various legitimate platforms for command and control (C2) operations, primarily through encoding techniques. Users are advised to be cautious when using illegal or untrustworthy software. Affected: Infostealer malware, users of illegal software, digital security sector
Keypoints :
- ACRStealer infostealer malware is disguised as illegal software.
- Distribution of ACRStealer has significantly increased since early 2023.
- Over time, ACRStealer utilizes various legitimate platforms for its command and control operations.
- Techniques such as the Dead Drop Resolver (DDR) are employed for malware function.
- The malware collects a wide range of sensitive information, including browser data and cryptocurrency wallet files.
- Users are cautioned against downloading illegal software and files from untrustworthy sources.
MITRE Techniques :
- Command and Control (T1071): ACRStealer uses encoded C2 strings on various platforms to control the malware.
- Obfuscated Files or Information (T1027): C2 domain address is encoded using Base64.
- Data Exfiltration (T1041): The malware exfiltrates sensitive data, such as browser and financial information, after collecting it.
Indicator of Compromise :
- [URL] https://2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop/Up
- [URL] https://2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371
- [URL] https://2429568886dbdaba3fa935d7ae1125a1[.]stunnedfragiledioxide[.]shop/Up
- [FQDN] 2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop
- [HASH SHA256] 0966facf8c0f32eeaa303dab4b6ed59071a0038bd3f3f7c109ab58c7a02d67e3
Full Story: https://asec.ahnlab.com/en/86390/