ACRStealer Upgrades With Syscall Evasion and TLS-Based C2 In New Campaign

Security researchers at Proofpoint have found that ACRStealer, a Malware-as-a-Service (MaaS), has gotten a lot of technical improvements This article explores acrstealer malware service. . John Dador's most recent technical analysis shows that the G Data Software HijackLoader framework is now actively using the malware as a final payload.

This new version uses low-level system calls and custom network communication to get around security products. This shows that it is still being improved into a stealthy, very flexible tool for stealing data. Advanced Evasion and Secret Communication ACRStealer doesn't use standard Win32 APIs so that Endpoint Detection and Response (EDR) solutions can't find it. Instead, it uses NTDLL and WoW64 system calls to dynamically resolve APIs.

Dynamic API Resolution (Source: gdatasoftware) The malware does its work at a lower system level by manually parsing function names and using the Wow64 transition gate. This lets it get around user-mode security hooks. Constructing an AFD Endpoint using the Object_Attribute Struct (Source: gdatasoftware) Some important parts of its communication strategy are: Layered Protocols: The malware first makes a raw TCP connection, and then it adds SSL/TLS encryption on top of that using the Windows Security Support Provider Interface (SSPI) to make it look like normal HTTPS web traffic.

Traffic Masking: Security researchers saw the malware talking to a specific C2 IP address and a domain linked to a well-known fantasy soccer site. This was probably done to make its bad data transfers look like normal browsing.

Fallback Mechanisms: If the first C2 connection doesn't work, the malware runs a recovery routine and tries to connect again safely. More data theft and secondary payloads Using NT Syscalls to move through files (Source: gdatasoftware) The main ways the malware can steal are: Browser Artifacts: It uses the standard Windows DPAPI to steal the master encryption keys. In addition, it can get around Google Chrome's newer App-Bound Encryption by adding shellcode to the browser to make it look like real privilege operations.

Gaming Credentials: In a unique twist, this version actively goes after gamers by looking for Steam account configuration files and login tokens to steal. Secondary Infections: The stealer can use other payloads, such as PowerShell scripts and executable files.

It also uses process hollowing to hide more attacks by adding malicious code to a legitimate Windows process that is already running. Indicator Type: Indicator of Compromise (IOC) Description SHA-256 418A1A6B08456C06F2F4CC9AD49EE7C63E642CCE1FA7984AD70FC214602B3B1 Malicious "Full Version Setup" ZIP archive SHA-256 59202cb766c3034c308728c2e5770a0d074faa110ea981aa88f570eb402540d2 ACRStealer payload (Win32.Trojan-Stealer.ACRStealer) SHA-256 f88c6e267363bf88be69e91899a35d6f054ca030e96b5d7f86915aa723fb268b LummaStealer variant dropped via Mega cloud storage Even with these advanced features, the analysis found small coding mistakes, like payload execution functions that are declared but never actually triggered by G Data Software. It's interesting that the people who made the first PiviGames infection vector have changed their tactics recently.

They still go after gamers on sites like Discord and Twitch, but now their bad links take users to cloud storage services where they can download different versions of LummaStealer. This shows how quickly modern cybercriminal campaigns can change.