ACRStealer Infostealer Exploiting Google Docs as C2
AhnLab SEcurity intelligence Center (ASEC) monitors the Infostealer malware disguised as illegal programs such as cracks and keygens being distributed, and publishes related trends and changes through the Ahnlab TIP and ASEC Blog posts. While the majority of the malware distributed in this manner has been the LummaC2 Infostealer, the ACRStealer Infostealer has seen an increase in distribution.
Figure 1. Page for distributing the Infostealer disguised as a crack
ACRStealer was first distributed around June last year, and only one sample was distributed for testing purposes at the time. Afterward, it was only distributed in very small volume, but the distribution volume has significantly increased since this year. As the distribution volume in February is similar to that of January, it is expected to see a sharp increase in the distribution volume for February.
Figure 2. Distribution trend of ACRStealer
ACRStealer uses a specific page of a legitimate web platform service as an intermediary C2. This is similar to Vidar and LummaC2, which are distributed in the same way. Threat actors enter the actual C2 domain in Base64 encoding on a specific page. The malware accesses this page, parses the string, and obtains the actual C2 domain address to perform malicious behaviors. This technique is called Dead Drop Resolver (DDR), and for convenience, the page used for this purpose is referred to as an “intermediary C2.” While Steam was used as an intermediary C2 in the past, recently, malware using Google Docs has been distributed. The following is a list of services that ACRStealer has used as an intermediary C2 to date.
- Steam
- telegra.ph
- Google Docs (Form)
- Google Docs (Presentation)
Figure 3. Google Docs (Forms) used as an intermediary C2
Figure 4. Google Docs (Presentation) used as an intermediary C2
Unlike other Infostealers, ACRStealer shows a more flexible approach in using their intermediary C2. They are inserting C2 strings into various platforms, and the locations of these strings are also being changed continuously. For example, in the case of Steam, the C2 string value used to be in the visible area of the page. However, it is now inserted into the ‘summary’ item, so it is not visible in the web browser and can only be seen in the page source. It is likely that the threat actor will continue to exploit a variety of platforms for their intermediary C2.
Figure 5. Intermediary C2 of past samples (left) and recent samples (right)
The actual C2 domain obtained from the intermediary C2 is combined with the identifier in UUID format hardcoded inside the sample to create the URL for downloading the configuration data. The downloaded configuration data is encrypted with Base64 and XOR. The relevant value information is as follows, and there have been no changes so far.
- Identifier UUID: f1575b64-8492-4e8b-b102-4d26e8c70371
- Download URL format: https://[C2]/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371
- Decryption key for the configuration data: 852149723’\x00
The decrypted configuration data is shown in the following figure. It contains configurations such as the target program for exfiltration, URL for additional malware download, file extensions and paths to be exfiltrated, and ID of the target extension program.
Figure 6. Configuration data
The configuration file that is responsible for responding to C2 contains the following information to be stolen: browser data, text files, cryptocurrency wallet files, FTP server information, chat program information, email client information, remote program information, terminal program information, VPN information, password manager information, database (DB) information, and browser extension plugin information. Depending on the settings, the collected files are compressed in ZIP format and transmitted to the C2.
Figure 6. Network behavior
The following is the list of programs to be exfiltrated based on the configuration file at the time of analysis.
- Browser
Chrome, Chrome SxS, Chrome Beta, Chrome Dev, Chrome Unstable, Chrome Canary, Epic Privacy Browser, Vivaldi, 360Browser Browser, CocCoc Browser, K-Melon, Orbitum, Torch, CentBrowser, Chromium, Chedot, Kometa, Uran, liebao, QIP Surf, Nichrome, Chromodo, Coowon, CatalinaGroup Citrio, uCozMedia Uran, Elements Browser, MapleStudio ChromePlus, Maxthon3, Amigo, BraveSoftware Brave-Browser, Microsoft Edge, Opera Software Opera Stable, Opera Software Opera GX Stable, Opera Software Opera Neon, Mozilla Firefox, NETGATE Technologies BlackHawk, TorBro, Thunderbird - File
.txt file - Other programs
Binance, Electrum, Electrum-LTC, Ethereum, Exodus, Anoncoin, BBQCoin, devcoin, digitalcoin, Florincoin, Franko, Freicoin, GoldCoin (GLD), GInfinitecoin, IOCoin, Ixcoin, Litecoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Dogecoin, ElectronCash, MultiDoge, jaxx, atomic, Daedalus Mainnet, Coinomi, Ledger Live, Authy Desktop, Armory, DashCore, AnyDesk, FileZilla, Telegram Desktop, Mailbird, eM Client, The Bat!, PMAIL, snowflake-ssh, NordVPN, AzireVPN, purple, WhatsApp, Signal, Zcash, Guarda, WalletWasabi, Bitwarden, NordPass, 1Password, RoboForm, MySQL, Total Commander, Tox, Psi, Psi+, GoFTP, yMail2, FTPInfo, UltraFXP, NetDrive, FTP Now, DeluxeFTP, Opera Mail, FTPGetter, Steed, Sticky Notes, Notezilla, To-Do DeskList, ALFTP, BitKinex, TrulyMail, Pocomail, NppFTP, FTPBox, NovaFTP, GmailNotifierPro, BlazeFtp, Monero - Browser Plugin (The Plugin ID is written in the configuration file, and the identifiable Plugin IDs are replaced with the product names)
TON Wallet, MyTonWallet, Tonkeeper, MathWallet, lodccjjbdhfakaekdiahmedfbieldgik, hcflpincpppdclinealmandijcmnkbgn, Hycon Lite Client, fhmfendgdocmcbmfikdcogofphimnkno, kpfopkelmapcoipemfendmdcghnegimn, BNB Chain Wallet, Auro Wallet, nlbmnnijcnlegkjjpcfjclmcfggfefdm, Wombat, NeoLine, iWallet, Polymesh Wallet, Yoroi, Wallet Guard, Temple, TezBox, ICONex, Hana Wallet, MetaMask, Station Wallet, Coin98 Wallet Extension: Crypto ; Defi, hpglfhgfnhbgpjdenjgmdgoeiappafln, Nabox Wallet, Keplr, OneKey, ZilPay, TronLink, ejbalbakoplchlghecdalmeeeajnimhm, kjmoohlgokccodicjjfebfomlbljgfhk, Ronin Wallet, CLV Wallet, hnfanknocfeofbddgcijnmhnfnkdnaad, LeafWallet, Phantom, djclckkglechooblngghdinmeemkbgci, Bitget Wallet, SafePal Extension Wallet, Trust Wallet, flhbololhdbnkpnnocoifnopcapiekdi, kkhmbjifakpikpapdiaepgkdephjgnma, apbldaphppcdfbdnnogdikheafliigcf, ckdjpkejmlgmanmmdfeimelghmdfeobe, iodngkohgeogpicpibpnaofoeifknfdo, hnefghmjgbmpkjjfhefnenfnejdjneog, fpcamiejgfmmhnhbcafmnefbijblinff, egdddjbjlcjckiejbbaneobkpgnmpknp, nihlebdlccjjdejgocpogfpheakkpodb, ilbibkgkmlkhgnpgflcjdfefbkpehoom, oiaanamcepbccmdfckijjolhlkfocbgj, ldpmmllpgnfdjkmhcficcifgoeopnodc, mbcafoimmibpjgdjboacfhkijdkmjocd, jbdpelninpfbopdfbppfopcmoepikkgk, onapnnfmpjmbmdcipllnjmjdjfonfjdm, cfdldlejlcgbgollnbonjgladpgeogab, Blocknative Gas Fee Estimator for Ethereum, Base, Arbitrum, and More, fdfigkbdjmhpdgffnbdbicdmimfikfig, njojblnpemjkgkchnpbfllpofaphbokk, hjagdglgahihloifacmhaigjnkobnnih, RoboForm Password Manager, ljfpcifpgbbchoddpjefaipoiigpdmag, Authenticator, gaedmjdfmmahhbjefcbgaolhhanlaolb, imloifkgjagghnncjkhggdhalmcnfklk, oeljdldpnmdbchonielidgobddffflal, GAuth Authenticator, Bitwarden Password Manager, KeePassX(Formerly Twitter)C-Browser, Dashlane, fooolghllnmhmmndgjiamiiodkpenpbb, Keeper® Password Manager, lfochlioelphaglamdcakfjemolpichk, LastPass: Free Password Manager, Browserpass, MYKI Password Manager ; Authenticator, nofkfblpeailgignhkbnapbephdnmbmn, Splikity, CommonKey, Zoho Vault, Adblock Plus, kmmkllgcgpldbblpnhghdojehhfafhro, ibegklajigjlbljkhfpenpfoadebkokl, ijpdbdidkomoophdnnnfoancpbbmpfcn, llalnijpibhkmpdamakhgmcagghgmjab, mjdmgoiobnbombmnbbdllfncjcmopfnc, ekkhlihjnlmjenikbgmhgjkknoelfped, jngbikilcgcnfdbmnmnmnleeomffciml, hcjginnbdlkdnnahogchmeidnmfckjom, ogphgbfmhodmnmpnaadpbdadldbnmjji, hhmkpbimapjpajpicehcnmhdgagpfmjc, ojhpaddibjnpiefjkbhkfiaedepjheca, fmhjnpmdlhokfidldlglfhkkfhjdmhgl, gjhohodkpobnogbepojmopnaninookhj, hmglflngjlhgibbmcedpdabjmcmboamo, eklfjjkfpbnioclagjlmklgkcfmgmbpg, jbkfoedolllekgbhcbcoahefnbanhhlh, OKX Wallet, jbdaocneiiinmjbjlgalhcelgbejmnid, blnieiiffboillknjnepogjhkgnoapac, cjelfplplebdjjenllpjcblmjkfcffne, fihkakfobkmkjojpchpfgcmhfjnmnfpi, Enkrypt: ETH, BTC and Solana Wallet, nanjmdknhkinifnkgdcggcfnhdaammmj, nkddgncdjgjfcddamfgcmfnlhccnimig, Rabby Wallet, Pontem Crypto Wallet, efbglgofoippbgcjepnhiblaibcnclgk, Nami, Petra Aptos Wallet, Sui Wallet, Exodus Web3 Wallet, SubWallet – Polkadot Wallet, mopnmbcafieddcagagdcbnhejhlodfdd, Talisman Wallet, hifafgmccdpekplomjjkcfgodnhcellj, ijmpgkjfkbfhoebgogflfebnmejmfbm, lkcjlnjfpbikmcmbachjpdbijejflpcm, onofpnbbkehpmmoabgpcpmigafmmnjh, Cyano Wallet, Byone, infeboajgfhgbjpjbeppbkgnabfdkdaf, UniSat Wallet, Zerion, enabgbdfcbaehmbigakijjabdpdnimlg, Fluvi Wallet, Fuelet Wallet | Fuel, Leo Wallet, Leap Cosmos Wallet, Venom Wallet, Argent X, Braavos, Shell Wallet, Cirus, Sender Wallet, Pali Wallet, Fewcha Move Wallet, MultiversX Wallet, Leather, Carax Wallet, Backpack, Pockie Wallet, Koala Wallet, odpnjmimokcmjgojhnhfcnalnegdjmdn, BlockWallet, Gate Wallet, Suiet | Sui Wallet, mcbigmjiafegjnnogedioegffbooigli, Nightly, heefohaffomkkkphnlpohglngmbcclhi, ocjdpmoallmgmjbbogfiiaofphbjgchh, Ctrl Wallet, Typhon Wallet, Eternl, Lace, Kerberus Sentinel3, Alby, Xverse Wallet, OsmWallet, EVER Wallet, KardiaChain Wallet, odbfpeeihdkbihmopkbjmoonfanlbfcl, Oxygen, aodkkagnadcbobfpggfnjeongemjbjca, MultiversX Wallet, Keeper Wallet, Solflare Wallet, Goby, Coinhub, kppfdiipphfccemcignhifpjkapfbihd, Glass wallet | Sui wallet, Compass Wallet for Sei, HAVAH Wallet, Magic Eden Wallet
Various Infostealer malware are actively being distributed disguised as illegal software. Users must avoid using illegal software and be cautious when downloading files from untrustworthy websites.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
