V-Help
← All news
Security

Microsoft Warns of Surge in ACR Stealer Attacks

Microsoft Warns of Surge in ACR Stealer Attacks

Photo: BleepingComputer

Quick answer

ACR Stealer is malware actively targeting Microsoft enterprise users to exfiltrate passwords, tokens, and documents.

Microsoft has warned of a significant rise in cyberattacks leveraging the ACR Stealer malware, targeting enterprise clients. Between April and June, threat actors actively used social engineering tactics such as ClickFix, along with WebDAV and MSHTA tools to deliver malicious payloads to victim devices.

ACR Stealer operates under a Malware-as-a-Service (MaaS) model and, according to Microsoft, may be a rebrand of the known Amatera Stealer. The primary objective of these attacks is to steal passwords, cookies, authentication tokens, and other sensitive data stored in Chrome and Edge browsers, as well as corporate cloud storage platforms like OneDrive and SharePoint*.

Attackers employ multiple methods to deliver the malware. In one scenario, the attack begins with a phishing email prompting the victim to execute a command to 'fix an error.' This command launches a DLL file from a remote WebDAV server via rundll32.exe. In another approach, the MSHTA utility is used to download and execute an obfuscated PowerShell script that extracts an encrypted payload from a publicly available JPEG image.

To evade detection, threat actors use GUID structures in WebDAV paths, manipulate file timestamps, and leverage public blockchain services to update command-and-control server addresses. Microsoft advises organizations to tighten network traffic monitoring, block access to suspicious domains, and restrict script execution from untrusted sources.

Experts also recommend enforcing application control policies to limit the execution of tools like PowerShell, Python, mshta.exe, and rundll32.exe, particularly from user directories. A detailed list of indicators of compromise and mitigation recommendations is available in Microsoft’s report.

Common questions

What is ACR Stealer?
ACR Stealer is malware designed to steal data from browsers, cloud storage, and corporate systems. It operates under a MaaS (Malware-as-a-Service) model and is likely a rebrand of Amatera Stealer.
How is ACR Stealer distributed?
Attackers use social engineering (ClickFix), WebDAV servers, and MSHTA to deliver malicious payloads. Obfuscated PowerShell scripts and steganography are also employed to hide activity.
How to protect against ACR Stealer attacks?
Organizations should block suspicious domains, restrict access to unnecessary online resources, enforce application control policies, and avoid executing commands from untrusted sources.
Share:

Dzen feed: /feed/dzen.xml · RSS: /feed.xml

Why trust this

Prepared by the V-Help editorial team from the primary source with a published date.

Published by: V-Help.ru news desk

Source: BleepingComputer