The ACR Stealer, an infamous information-stealing malware active since 2024, has been identified as extracting browser passwords, session tokens, and Microsoft 365 documents from corporate networks. This malware capitalizes on ClickFix lures to gain unauthorized access to sensitive materials stored in OneDrive and SharePoint folders.
Entry Points and Attack Vectors
Initial access for ACR Stealer is typically achieved through a deceptively simple method: users unknowingly execute a command in the Run dialog box. According to Microsoft’s Defender Experts, the malware’s activity has surged from late April to mid-June, effectively leveraging ClickFix lures to extract critical information.
Two primary delivery chains are involved: one that leaves traces on the disk and another that operates filelessly. Microsoft advises affected users to revoke compromised tokens and not merely change passwords as a remedial measure.
Technical Intricacies of the Attack
The malware often infiltrates systems through malvertising or manipulated search results. The fileless attack chain initiates with the execution of mshta.exe, which accesses remote HTA content. A VBScript loader then employs COM objects to execute PowerShell commands, creating a unique victim ID and bypassing certificate checks.
The payload, hidden within a JPEG image, is extracted, decrypted, and executed in memory. Subsequently, the malware targets Chrome and Edge browsers, retrieving and decrypting stored passwords and session tokens using DPAPI. It also exfiltrates PDFs from common directories like Desktop and Downloads.
Detection and Mitigation Strategies
While one attack chain writes to disk, allowing defenders to detect its presence, both chains rely on user interaction to initiate. Red Canary, in its investigation, identified similar tactics and payloads being distributed through malicious ads and compromised sites. The attack utilizes obfuscated PowerShell scripts and a disguised scheduled task to maintain persistence.
Microsoft recommends several protective measures, including disabling the Run prompt, restricting the execution of mshta.exe, and employing application controls to prevent the execution of internet-delivered content.
Understanding the Threat Landscape
Although Microsoft has not disclosed specific victim counts, Red Canary’s telemetry indicates a significant prevalence of ACR Stealer in recent months. The malware, originally marketed under the name AcridRain and later rebranded as Amatera Stealer, has undergone significant updates.
Despite its evolution, the core tactic remains a social engineering vector, relying on user interaction to execute. The report underscores the importance of endpoint security practices and vigilance against prompt-based attacks.
Microsoft, in its report, provides hunting queries and domain indicators to aid organizations in detecting and mitigating these threats. As the threat landscape continues to evolve, staying informed and implementing robust security protocols is crucial for safeguarding sensitive data.
