ACRStealer, an infostealer malware actively distributed since last year, has evolved with new variants employing advanced detection evasion and analysis obstruction techniques, including Heaven’s Gate and low-level NT function socket communication. It uses disguised host domains and encrypted C2 communication with evolving methods such as AES-256 encryption and randomized paths to exfiltrate sensitive information and install additional malware. #ACRStealer #HeavensGate #AmateraStealer
Keypoints
- ACRStealer has been actively distributed since last year, with intensified activity and new variants emerging this year.
- The malware employs Heaven’s Gate technique to execute x64 code in WoW64 processes for detection evasion.
- Instead of standard libraries, ACRStealer uses low-level NT functions like NtCreateFile and NtDeviceIoControlFile for direct socket communication to bypass monitoring tools.
- The malware uses legitimate domains such as microsoft.com, avast.com, and facebook.com as disguise hosts for C2 communications.
- Configuration data is encrypted using Base64 and RC4, while later variants use AES-256 (CBC) encryption for transmitted data with embedded keys.
- C2 communication methods have evolved from fixed URL paths to dynamically generated random strings and POST requests with JSON structures.
- ACRStealer exfiltrates various sensitive data, including browser data, cryptocurrency wallets, accounts, documents, and can install additional malware; it has been rebranded as AmateraStealer.
MITRE Techniques
- [T1106] Execution through API – Uses low-level NT functions such as NtCreateFile and NtDeviceIoControlFile to implement socket communication.
- [T1560.001] Archive Collected Data: Archive via encryption – Encrypts configuration and exfiltrated data using RC4 and AES-256 (CBC) algorithms.
- [T1071.001] Application Layer Protocol: Web Protocols – Utilizes HTTP and HTTPS protocols for C2 communications using constructed HTTP structures.
- [T1573] Encrypted Channel – Uses HTTPS protocol with self-signed certificates and additional payload encryption for secure C2 communication.
- [T1036] Masquerading – Uses legitimate high-profile domains as host headers to disguise C2 communications (‘micosoft.com, avast.com, facebook.com, google.com, and pentagon.com have been used as disguise domains’).
- [T1107] File Deletion – Incorporates analysis evasion techniques such as Heaven’s Gate to disrupt detection and analysis (‘Heaven’s Gate is a technique used to execute x64 code in WoW64 processes and is widely used for analysis evasion’).
Indicators of Compromise
- [File Hash] MD5 hashes of ACRStealer samples – 047135bc4ac5cc8269cd3a4533ffa846, 09825dd40ba8ba3c1ce240e844d650a8, and 3 more.
- [IP Address] C2 server IPs – 85.208.139.75, 104.21.48.1, and other addresses including 178.130.47.243.
- [Domain] Disguised host domains used in HTTP headers – microsoft.com, avast.com, facebook.com, google.com, pentagon.com.
Read more: https://asec.ahnlab.com/en/89128/