Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

ACRStealer malware hidden in cracked software

Updated
3 min read
ACRStealer malware hidden in cracked software
M
Mai Đức Nam Anh
Part of seriesNewsletters-eng

Researchers at ASEC - AhnLab Security Intelligence Center, have recently warned about the significant increase in computers infected with information-stealing malware like LummaC2 and ACR Stealer. According to the researchers, the reason these computers are infected is due to cracked software and keygens containing malicious content circulating online. The use of these illegal software and keygens by regular users has contributed to the increase in these numbers.

Figure 1: Website distributing cracked software containing hidden malware

ACR Stealer is information-stealing malware written in the C++ programming language. Appearing around early 2024, this malware targets regular users with computers running the Windows operating system. Promoted and developed under the Malware-as-a-Service (MaaS) model, this malware can steal sensitive information from the system, such as browser cookies, login information stored in web browsers, cryptocurrency wallets, configuration files of programs on the system, and information about the infected system, among others.

Additionally, the danger level of ACR Stealer is considered high due to its ability to evade detection by security solutions. Specifically, this malware uses the "dead drop resolver" (DDR) technique, a method where the malware exploits legitimate service servers like Steam, Telegram's Telegraph, Google Forms, Google Slides, etc., as intermediaries to access the actual C2 address, while also using Base64 encryption to transmit data over the communication channel.

Figure 2: Google Docs (Forms) exploited as an intermediary to connect to C2

The actual C2 domain obtained from the exploited servers, combined with a hardcoded UUID identifier, is used to download URLs containing configuration information. Analyzing the network behavior of this data reveals the amount of information the malware has collected on the victim's machine, as shown in the following image:

Figure 3: Network behavior analysis of the malware

ASEC researchers also provide an additional list of programs from which this malware steals information, specifically:

Web BrowserCốc Cốc, Chrome, Microsoft Edge, Mozilla Firefox, Chrome SxS, Chrome Beta, Chrome Dev, Chrome Unstable, Chrome Canary, Epic Privacy Browser, Vivaldi, 360Browser Browser, K-Melon, Orbitum, Torch, CentBrowser, Chromium, Chedot, Kometa, Uran, liebao, QIP Surf, Nichrome, Chromodo, Coowon, CatalinaGroup Citrio, uCozMedia Uran, Elements Browser, MapleStudio ChromePlus, Maxthon3, Amigo, BraveSoftware Brave-Browser, Opera Software Opera Stable, Opera Software Opera GX Stable, Opera Software Opera Neon, NETGATE Technologies BlackHawk, TorBro, Thunderbird
File.txt
Other programsMySQL, Telegram Desktop, WhatsApp, Bitwarden, 1Password, Binance, Electrum, Electrum-LTC, Ethereum, Exodus, Anoncoin, BBQCoin, devcoin, digitalcoin, Florincoin, Franko, Freicoin, GoldCoin (GLD), GInfinitecoin, IOCoin, Ixcoin, Litecoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Dogecoin, ElectronCash, MultiDoge, jaxx, atomic, Daedalus Mainnet, Coinomi, Ledger Live, Authy Desktop, Armory, DashCore, AnyDesk, FileZilla, Mailbird, eM Client, The Bat!, PMAIL, snowflake-ssh, NordVPN, AzireVPN, purple, Signal, Zcash, Guarda, WalletWasabi, NordPass,RoboForm, Total Commander, Tox, Psi, Psi+, GoFTP, yMail2, FTPInfo, UltraFXP, NetDrive, FTP Now, DeluxeFTP, Opera Mail, FTPGetter, Steed, Sticky Notes, Notezilla, To-Do DeskList, ALFTP, BitKinex, TrulyMail, Pocomail, NppFTP, FTPBox, NovaFTP, GmailNotifierPro, BlazeFtp, Monero
Browser pluginFollow ASEC's report

Recommendations

Along with the rapid development of information technology, dangerous malware like ransomware or information-stealing malware (Infostealer) has become increasingly unpredictable. To minimize the risk of facing these information security threats, the FPT Threat Intelligence team recommends:

  • Enhance knowledge: Users should equip themselves with essential knowledge about cybersecurity.

  • Use legitimate software: Users should not use cracked software or illegal keygens of unknown origin.

  • Browse safely: Users should avoid accessing unknown links advertised on social media platforms or embedded in strange emails.

  • Use security services: Users should install antivirus software or use 24/7 monitoring services to enhance security.

IOCs

SHA-256
0966facf8c0f32eeaa303dab4b6ed59071a0038bd3f3f7c109ab58c7a02d67e3
09c823235ca17428d294825f8c5c005df6e333e69e7c3c41f9e9e03e96a25646
0d0ddb0fa6b48252bf7b42741ffce72548515182e5746830ba7412842a9c4b46
0d51d748c3d5130d86183ea04cfebf157d2547ad453b1d013240f2b088ef8eb6
0e4fc0dc26227b24849e2b4f7f1ebb1c65e1f012d75f1e952ff13ae4d6b33ad4

URLs

https[:]//2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop/Up
https[:]//2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371
https[:]//2429568886dbdaba3fa935d7ae1125a1[.]stunnedfragiledioxide[.]shop/Up
https[:]//2429568886dbdaba3fa935d7ae1125a1[.]stunnedfragiledioxide[.]shop/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371
https[:]//2429568886dbdaba3fa935d7ae1125aa[.]stunnedfragiledioxide[.]shop/Up

FQDN

2429568886dbdaba3fa935d7ae112525[.]stunnedfragiledioxide[.]shop
2429568886dbdaba3fa935d7ae1125a1[.]stunnedfragiledioxide[.]shop
2429568886dbdaba3fa935d7ae1125aa[.]stunnedfragiledioxide[.]shop
a-bc[.]xyz
bolstermonoxideseventeen[.]shop

Reference

  1. ASEC report: https://asec.ahnlab.com/en/86390/
#repost#threat-intelligence#fiscybersec

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.