Skip to content
Tech News
← Back to articles

Microsoft warns of surge in ACR Stealer attacks on customers

read original more articles
Why This Matters

The rise in ACR Stealer malware attacks underscores the increasing sophistication of cyber threats targeting enterprise users, emphasizing the need for enhanced cybersecurity measures. As attackers leverage social engineering, WebDAV, and obfuscated scripts, both consumers and organizations must stay vigilant to protect sensitive data and maintain trust in digital environments.

Key Takeaways

Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.

Between late April and mid-June, the threat actor used the ClickFix social-engineering method, WebDAV servers, and the MSHTA (Microsoft HTML Application Host) utility to deliver the info-stealing payload.

ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranding of the Amatera Stealer malware.

ACR Stealer attacks

While there are multiple delivery methods for the malware, Microsoft highlights two intrusion chains as the most prevalent for ACR Stealer.

The first campaign starts with a ClickFix lure that executes a command to run a malicious DLL from a remote WebDAV share using rundll32.exe.

Threat actors abusing WebDAV is a common tactic, seen in past attacks delivering Bumblebee and Voldemort malware.

In a report this week, Microsoft says that the threat actor typically uses a GUID-based directory structure and filenames in the WebDAV path to mimic legitimate resources (for example, google.ct) and blend the activity with expected network traffic.

After establishing communication with the command-and-control (C2) infrastructure, "a heavily obfuscated PowerShell script" is executed to launch a malware installer and establish persistence.

The routine installs a bundled Python loader, creates a scheduled task masked as a software update, manipulates timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution.

... continue reading