A threat actor promoted ACR Stealer on a Russian underground forum in late March 2024. It is believed that the ACR Stealer is an upgraded version of the GrMsk Stealer. Using a dead drop resolver (DDR) method, this ACR stealer conceals its C2 on the Steam community page. Information from online browsers, cryptocurrency wallets, messaging apps, email clients, FTP clients, VPN services, and password managers can all be extracted by it.

Notably, the researchers report that similar tactics have also been seen in recent Lumma Stealer attacks, which facilitate adversaries' ability to alter the C2 domains at will and strengthen the infrastructure's resilience. This disclosure coincides with the revelation from CrowdStrike that threat actors are using the disruption from last week to spread an information stealer known as Daolpu, which was previously undisclosed. This is just one instance of the ongoing fallout from the malfunctioning update that has rendered millions of Windows devices unusable.

Using a Microsoft Word document riddled with macros that appear to be a Microsoft recovery handbook with authentic instructions from the Windows manufacturer to fix the problem, the attack uses the document as a ruse to start the infection process. Upon opening, the DOCM file triggers the macro to obtain a second-stage DLL file from a remote location. This DLL file is then decoded to initiate Daolpu, a stealthy malware capable of obtaining login credentials and cookies from Chromium-based browsers such as Microsoft Edge, Mozilla Firefox, and Google Chrome.

It also coincides with the introduction of new families of stealer malware, like Braodo and DeerStealer, and the use of malvertising tactics by threat actors to distribute Atomic Stealer in conjunction with genuine applications, like Microsoft Teams. Using search engines to download software is getting riskier as cybercriminals step up their distribution strategies. The navigation between SEO poisoning and malvertising is required of users.

Impact

• Sensitive Data Theft
• Security Bypass

Indicators of Compromise

Domain Name

• 21centuryart.com
• scratchedcards.com
• answerrsdo.shop
• pcvcf.xyz
• pcvvf.xyz
• pdddk.xyz
• pbdbj.xyz
• pqdrf.xyz

IP

• 62.133.61.26
• 62.133.61.43
• 5.42.107.78

MD5

• 158349867dc4ee02bd25e74ba3475bc2
• 0d6f8a03885e85f384584cb2416f859e
• b433eb6a16cca3d20a5f64e3ee58a603
• 87e1217cd4517d2c3ea39b1b970a5550
• ec84763fca218109b124ce3569aacbc0
• 60f608a7279a0f9bd78cf81ac0b4430e
• 86ccdd6ace9c65340b8704c32bb5c0b4
• 8eb4a13d9250cfc847bd4d7ab40fe07c
• b54762542e86d5c914ce6f5b900ff56d
• d739d9b0af49ec38e9974bcc6a22956a
• 5f97661b73f6d0c83c26666f643d1d19
• 5eff654f5dafbed08a97efcf5169518d
• ec33f9f31756e52ee62802c877013d83
• 0468a32ad1ed1169e98b897d87f51164

SHA-256

• e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949
• 547b6e08b0142b4f8d024bac78eb1ff399198a8d8505ce365b352e181fc4a544
• bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078
• bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d
• 59d2c2ca389ab1ba1fefa4a06b14ae18a8f5b70644158d5ec4fb7a7eac4c0a08
• 8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497
• 4043aa37b5ba577dd99f6ca35c644246094f4f579415652895e6750fb9823bd9
• 0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19
• 8c6d355a987bb09307e0af6ac8c3373c1c4cbfbceeeb1159a96a75f19230ede6
• de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f
• 6c779e427b8d861896eacdeb812f9f388ebd43f587c84a243c7dab9ef65d151c
• 08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671
• abc54ff9f6823359071d755b151233c08bc2ed1996148ac61cfb99c7e8392bfe
• 643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2

SHA-1

• d1327ff23fde813cb34e3da820ff93ca7bff79a6
• 6ef9d52ad398772b884f3884f106fe9bdfbc5a46
• 0abcfe1fa9058ac9171bbe63a62e2b092706d95c
• 6fea76f1c820df7d4f00421800516e8b6cb36c4f
• 48ae9f3b129f33191cd3846177f3823b6403831c
• 9e2c8ee8ffdddfab0ac7febe686f9e69038a456f
• fde2f7d41ae5eb1d6e8bc97ff67075e2d530b37d
• acddb25e1e218de74453f9c6b5cec6e92f55f6af
• c092c9c8034006d6c58a19d28c62c78f3100c686
• 55cf7d205926dfbf377a144d3c25dc4e91fa2fc1
• 1cd170dd5e6cf5adf52b076dcf1edfbf8322960c
• 22d31c28c59355530e0184bafe8be5b42c59c353
• 9261992e8c9cacf49ee16dd638aee098ad39e7c4
• 0d9dc54a5f91e6ed7d324c2a65b152a168d57b08

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.