Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.
Between late April and mid-June, the threat actor used the ClickFix social-engineering method, WebDAV servers, and the MSHTA (Microsoft HTML Application Host) utility to deliver the info-stealing payload.
ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranding of the Amatera Stealer malware.
ACR Stealer attacks
While there are multiple delivery methods for the malware, Microsoft highlights two intrusion chains as the most prevalent for ACR Stealer.
The first campaign starts with a ClickFix lure that executes a command to run a malicious DLL from a remote WebDAV share using rundll32.exe.
Threat actors abusing WebDAV is a common tactic, seen in past attacks delivering Bumblebee and Voldemort malware.
In a report this week, Microsoft says that the threat actor typically uses a GUID-based directory structure and filenames in the WebDAV path to mimic legitimate resources (for example, google.ct) and blend the activity with expected network traffic.
After establishing communication with the command-and-control (C2) infrastructure, "a heavily obfuscated PowerShell script" is executed to launch a malware installer and establish persistence.
The routine installs a bundled Python loader, creates a scheduled task masked as a software update, manipulates timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution.
... continue reading