In early 2025, a new and stealthy information-stealing malware named Acreed emerged, quickly gaining traction among Russian-speaking cybercriminal forums. First identified on February 14, 2025, Acreed distinguishes itself from bulkier counterparts by generating minimalistic logs, thereby avoiding the exposure of infection vectors and complicating forensic analysis.
Minimalistic Approach Enhances Stealth
Unlike traditional infostealers that produce extensive logs, Acreed focuses on extracting browser passwords, cookies, and autofill data, deliberately omitting browsing history and download records. This streamlined approach enhances operational security for cybercriminals and makes it more challenging for security professionals to trace the malware’s activities.
Infection Vectors and Deployment
Acreed’s infection chain often begins with trojanized installers hosted on compromised websites. These malicious installers are designed to appear legitimate, enticing users to download and execute them. Upon execution, a dropper known as ShadowLoader is deployed, which unpacks two nearly identical Portable Executable (PE32) modules. These modules then inject malicious code into legitimate, signed Dynamic Link Libraries (DLLs) such as WebView2Loader.dll, facilitating the stealthy execution of the malware.
Command and Control Mechanisms
Acreed employs sophisticated methods to establish communication with its command and control (C2) servers. Notably, it utilizes dead-drop resolvers on platforms like the Binance Smart Chain and Steam Community. By querying specific smart contracts or Steam profile comments, the malware retrieves encoded C2 domain information. This information is then decoded using XOR operations with hardcoded keys, revealing the actual C2 domains such as windowsupdateorg.live and trustdomainnet.live.
Data Exfiltration and Persistence
Once the C2 connection is established, Acreed systematically scans directories within the AppData\Local path to locate data from browsers like Chrome, Edge, and Brave. It extracts sensitive information, including login credentials and cookies. To evade detection, the malware checks for the presence of specific browser extensions, particularly those related to cryptocurrency wallets like MetaMask and Coinbase Wallet, by matching their Globally Unique Identifiers (GUIDs).
Acreed also incorporates JavaScript-based clipboard hijacking modules, commonly referred to as clippers. These modules monitor clipboard activity and replace copied cryptocurrency addresses with those controlled by the attackers. This tactic increases the likelihood of diverting cryptocurrency transactions to the cybercriminals’ wallets.
Implications and Recommendations
The emergence of Acreed underscores the evolving sophistication of cyber threats targeting sensitive user information and digital assets. Its minimalistic design and advanced C2 communication methods make it a formidable challenge for traditional security measures.
To mitigate the risks associated with such malware:
– Exercise Caution with Downloads: Avoid downloading software from unverified sources. Always use official websites and trusted platforms for software installations.
– Implement Robust Security Solutions: Utilize comprehensive security software that can detect and prevent the execution of malicious code.
– Regularly Update Software: Ensure that all software, especially operating systems and browsers, are up-to-date with the latest security patches.
– Monitor for Unusual Activity: Be vigilant for unexpected system behavior, such as unauthorized access attempts or unfamiliar applications running in the background.
– Educate Users: Provide training on recognizing phishing attempts and the importance of cybersecurity hygiene to prevent inadvertent malware installations.
By adopting these proactive measures, individuals and organizations can enhance their defenses against sophisticated threats like Acreed and safeguard their sensitive information from cybercriminal exploitation.
