ACRStealer’s New Variant: Advanced Evasion Techniques and Expanded Data Theft Capabilities
A new iteration of the ACRStealer malware has surfaced, showcasing enhanced evasion tactics and a broader scope of data exfiltration, posing a significant threat to cybersecurity defenses. Initially identified by Proofpoint in early 2025 as a rebranded version of the Amatera Stealer, this latest variant introduces sophisticated methods to bypass detection and secure communication channels, indicating active development and maintenance.
Malware-as-a-Service Model and Distribution
ACRStealer operates under a Malware-as-a-Service (MaaS) model, allowing multiple threat actors to rent and deploy it in various malicious campaigns. In recent incidents, it has been delivered as the final payload through HijackLoader, a complex loader associated with the PiviGames distribution platform. The attack sequence typically begins with users on gaming platforms such as Steam, Discord, or Reddit being lured into clicking malicious links (e.g., hxxps://pivigames.blog/adbuho). These links lead victims through a series of redirections, ultimately resulting in the download of a ZIP archive containing the malware, often disguised as legitimate software installers.
Technical Enhancements and Evasion Techniques
G Data analysts, during a follow-up investigation into HijackLoader activities, identified this updated ACRStealer variant and noted several key advancements:
– Syscall Evasion: Unlike previous versions that relied on Dead Drop Resolvers (DDR) to obscure command-and-control (C2) server addresses, this variant employs low-level system calls to interact directly with Windows kernel interfaces. By locating ntdll.dll through the Process Environment Block (PEB) and manually parsing the Export Address Table (EAT), it resolves necessary functions using a modified djb2 hash algorithm, similar to techniques observed in HijackLoader. System calls are executed via the WoW64 transition gate, effectively bypassing user-mode hooks that many security products monitor.
– Encrypted C2 Communication: The malware establishes encrypted communication channels over Transport Layer Security (TLS), enhancing the security of data transmission between the infected system and the C2 server. This method not only secures the exfiltrated data but also complicates detection efforts by blending malicious traffic with legitimate encrypted communications.
– Secondary Payload Delivery: ACRStealer’s infrastructure has been observed delivering other malware, such as LummaStealer, by redirecting victims to cloud storage downloads containing malicious executables. This flexibility allows threat actors to swap out final payloads without altering the distribution chain, complicating mitigation efforts.
Data Exfiltration Capabilities
The latest ACRStealer variant exhibits an expanded range of data theft capabilities:
– Browser Data: It targets credentials, session cookies, and login data from multiple web browsers, enabling unauthorized access to various online accounts.
– Gaming Accounts: Notably, this variant seeks to exfiltrate credentials from gaming platforms like Steam, a target not previously associated with ACRStealer campaigns.
– System Information: The malware performs comprehensive system fingerprinting, collecting details such as machine GUID, username, system architecture, locale, and build time.
The collected data is compiled into a hardcoded file named `d5e48e78-2951-4117-b806-e4f8e626f28c.txt` and transmitted to the C2 server. To optimize transmission, the data is compressed into an in-memory ZIP archive, capped at 40MB.
Implications and Recommendations
The emergence of this advanced ACRStealer variant underscores the evolving sophistication of cyber threats. Its ability to evade detection through low-level system interactions and encrypted communications, coupled with its expanded data theft capabilities, poses a significant challenge to cybersecurity defenses.
Recommendations for Mitigation:
1. User Vigilance: Exercise caution when encountering unsolicited links, especially on gaming platforms and forums. Verify the authenticity of software installers before downloading.
2. Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of monitoring low-level system activities and identifying anomalous behaviors indicative of syscall evasion techniques.
3. Network Monitoring: Implement network monitoring tools to detect unusual encrypted traffic patterns that may indicate C2 communications.
4. Regular Updates: Keep all software and security solutions up to date to benefit from the latest threat intelligence and protection mechanisms.
5. User Education: Educate users about the risks associated with downloading software from unverified sources and the importance of maintaining strong, unique passwords for different accounts.
By adopting a multi-layered security approach and fostering a culture of cybersecurity awareness, organizations and individuals can better defend against sophisticated threats like the latest ACRStealer variant.
