Essential Insights
- ACR Stealer exploits social engineering via pasted commands and malvertising, stealing browser credentials, session tokens, and sensitive documents from Chrome and Edge in memory or on disk.
- The threat leverages fileless techniques, remote-injected payloads, and obfuscated PowerShell or Python scripts to achieve persistence and evade detection.
- No exploits or vulnerabilities are used; the attack relies solely on user interaction, highlighting the importance of user awareness and preventing command pasting.
Threat, Attack Techniques, and Targets
The ACR Stealer malware has been active since 2024. It is used to steal browser passwords, session tokens, and files from Microsoft 365, OneDrive, and SharePoint. The malware enters networks when users paste a command into the Run box and press Enter. This command triggers two different attack chains.
Both chains start with a prompt that often arrives through malicious ads or search results. One chain leaves traces on the disk by downloading a DLL from a remote WebDAV server. The other runs almost entirely in memory using a fileless approach. The in-memory chain pulls a JPEG image with hidden payload pixels from a remote host. Custom routines extract, decrypt, and execute this payload. It then targets Chrome and Edge browsers, accessing their databases to retrieve and decrypt credentials, cookies, and tokens.
The attack can also involve downloading a ZIP file that contains a Python script, which runs in the background. This script can be an updater or installer that persists through hidden scheduled tasks and wipes older copies. Some variants communicate with blockchain networks or Web3 infrastructure, hiding pointers in smart contracts.
The malware mainly targets enterprise environments, exploiting the credentials and tokens already available to the user. Both attack chains do not exploit software vulnerabilities; instead, they depend on the user’s action of pasting a malicious command and pressing Enter.
Impact, Security Implications, and Remediation Guidance
The impact of ACR Stealer is significant because it can extract sensitive information stored in browsers and cloud services. It can also access business documents in Microsoft 365 apps, SharePoint, and OneDrive folders. The malware’s ability to steal tokens and credentials allows it to maintain ongoing access to the victim’s environment, potentially leading to further compromise.
Security implications include the need to monitor for commands executed in the Run dialog and suspicious network connections. Attackers can use obfuscated PowerShell and DLL downloads to hide malicious activity. The malware can also persist in the system for a long time through scheduled tasks and hidden files.
Microsoft advises that victims should revoke tokens instead of just rotating passwords. Detection involves hunting for abnormal PowerShell activity, unexpected network share access, and unusual processes like “rundll32.exe” running without command-line parameters.
To prevent infection, organizations can block the Run prompt, restrict scripts and executable launches from user folders, and monitor for suspicious process behavior. They should also isolate affected systems, revoke credentials, and check for unusual outbound connections.
Remediation guidance should be obtained from the relevant vendor or cybersecurity authority, as the report does not specify detailed steps beyond general best practices.
Expand Your Tech Knowledge
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
