Malware

New Variant of ACRStealer Actively Distributed with Modifications

  • Jul 21 2025
New Variant of ACRStealer Actively Distributed with Modifications

ACRStealer is an Infostealer that has been distributed since last year. It began to be actively distributed from early this year. AhnLab SEcurity intelligence Center (ASEC) has previously covered ACRStealer, which utilizes Google Docs and Steam as a C2 via a Dead Drop Resolver (DDR) technique.

 

 

Recently, a newly modified version of ACRStealer has begun to be actively distributed. While the information theft feature itself is not significantly different from the previous version, many detection evasion and analysis obstruction techniques are applied. In addition, new variants are continuosly developed to add new features.

 

When executing key functions such as C2 connection, the modified ACRStealer uses the Heaven’s Gate to disrupt detection and analysis. Heaven’s Gate is a technique used to execute x64 code in WoW64 processes and is widely used for analysis evasion and detection avoidance. While it is mainly used for restricted purposes as it does not operate on x86 processors, it is frequently found in service-type malware.

 

This threat actor does not adopt the common method of using libraries such as WinHTTP and Winsock for C2 communications, but instead directly communicates with the AFD driver by using low-level NT functions such as NtCreateFile and NtDeviceIoControlFile to implement the socket, and assembles the HTTP structure to communicate with the C2 server. This method allows attackers to bypass library-based monitoring. It is suspected that the threat actor referred to an open-source project called “NTSockets”.

 

Figure 1. C2 connection code

 

The host domain address entered in the HTTP request header and the IP address actually used for C2 communication are separately hardcoded. In some samples, the host domain address and IP address are the same, but there are also samples that use a famous legitimate domain as the host domain address. In this case, some monitoring tools may display the C2 connection address as the legitimate domain instead of the actual IP address being accessed.

 

Figure 2. Legitimate host name and C2 IP address

Figure 3. URL access behavior information from VirusTotal, which actually shows communication with the C2 IP 85.208.139.75

 

So far, micosoft.com, avast.com, facebook.com, google.com, and pentagon.com have been used as disguise domains, and a sample that uses the “m” character instead of the domain format has also been identified. It is likely that the disguise domains will continue to change.

 

The information theft feature does not show major differences from the previous version. The C2 address format and encryption method for the configuration data are also the same as before.

 

  • Encrypting Configuration Data

    • Algorithm: Base64, RC4
    • RC4 Key: “852149723\x00

     

  • C2 Communication
    • http(s)://{IP}/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 (Receive Configuration File)
    • http(s)://{IP}/Up/x (Send Stolen Information)

 

The HTTP and HTTPS protocols are used for C2 communication. Initially, the C2 server used the CloudFlare hosting service, which does not allow the modification of the host domain address due to its cloud-based nature. As a result, the threat actor applied the host address modification technique only to the HTTP samples.

 

Afterward, a sample using the HTTPS protocol and host modification technique appeared. When the host modification technique is used, cloud services cannot be utilized, so the threat actor used a self-signed certificate to create a C2 server.

 

Figure 4. Self-signed certificate of the C2 server

 

The variant also added a feature to encrypt the transmitted data in addition to the encryption of the HTTPS protocol. At the same time, the C2 address format was changed. An “enc_” prefix was added, presumably to distinguish it from the previously established C2 server.

 

  • C2 Communication
    • https://{IP}/enc_ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 (Receive Configuration File)
    • https://{IP}/enc_Up/x (Send exfiltrated information)

 

The AES-256 (CBC) algorithm is used to encrypt the data being sent and received. The encryption key and Initialization Vector (IV) value are embedded within malware code.

 

  • Data Encryption
    • Algorithm: AES-256 (CBC)
    • Key: 7640FED98A53856641763683163F4127B9FC00F9A788773C00EE1F2634CEC82F
    • Initialization Vector: 55555555555555555555555555555555

 

Figure 5. AES key setting code

 

Afterward, a sample with significant changes in the C2 communication method appeared. Instead of the /Up/x and /enc_Up/x paths previously used for exfiltrating information, it now uses random strings. These random strings are issued by the server upon the initial C2 connection and are different each time a connection is made. As a result, an additional step was added to the C2 communication process to implement this feature. Furthermore, the process of requesting configuration data from the C2 server has changed from the previous GET method to the POST method, which involves sending a string in the JSON structure as data. As a result, the “ujs” and “enc_ujs” identification strings are no longer used. The following is an example of the C2 communication process:

 

  • C2 Connection Type
    • https://{IP} (Receive path information)

      • Request

        		 {“Command”:”GetEndpoints”}

        Response

        {

            “a”: “/y_e_z6-_osR9tcQ0w8j_CzQ49~Yc–GqAiE4@iDBkRpd”,

            “g”: “/t05_~ICW~~Dg8J-7”,

            “b”: “/Z.Y@HgMvWN_6IuB-rI”,

            “m”: “/Qufz-iR@3bnZG-ZV-K.Ja4Q_~vQJP7pw-1OHEKXwTUUbC”,

            “o”: “/CIsMkC_~64P_GszI-jj_Tui_uSWB4u”,

            “w”: “/6q6@bBWgRJJMNd-_.hc@2f~FYqhZ_qD1p7”,

            “err”: “/l~1~HzgWe.0o2~_yO-k8”,

            “t”: “/Z_J7ja95l~Xj_UyJr@cTZ-SR6gUPxW2”,

            “p”: “/g~H_OM.6s10ID8jZTi2–KOlT-azK_s”,

            “f”: “/6a2mgaQCayNn9s-i@4_ZoTH_”,

            “c”: “/Y-g_hmMD~4.BmGm010Z

        }
    • https://{IP}/Y-g_hmMD~4.BmGm010Z (Receive configuration file)

      • Request

        		 {“Id”:”f1575b64-8492-4e8b-b102-4d26e8c70371″}

        Response

        QxdQEw5iTBBdIgIXUG1oWg8QHyJIFwgTaGV7XVBhVGludltWUF
        5WXGR2WkNbVFJub1VLUEARcFhDUxEsGkEQCwUVFUJdIgIXUVlG
        VlpXHWVAUBBMGEIVXBE6GldubVcBFR4RcBoPEG1odVhRUmxkaX
        VeW15bV29ce11AXllcF2FLU2RpZ0JRSxd2UnRZFx4TQBsNAx8i
        SFsQCxZaX0BcbV0bV0lRG0oeSCJWFwgTVmVrUQsiFBdCEw4ba2
        5/b1tUXm1oflhdVGxdaW5yXEtYX1YgelBGUGhlYkFWchhxU0VV
        GxsQRyICBB4TRFcVCBFjUEddXFEXUkpWIkUZSRNaGw0QUVxkVg
        oTGBtHEAkiZGl+XldYW25vR1daVV1RZWtxW3JXWFcRcFxBbm9V
        S1BAEXBYQ1MRLBpBEAsFFRVCXSICF1FZRlZaVx1lQFAQTBhCFV
        wROhpXbm1XARUeEXAaDxBtaHVYUVJsZGl1XlteW1dvXHtdQF5Z
        XBdnXXNMVFBdUWVrZ0BlShV2UEBYFR4RdBoPAx0WSVkQCSJbXU
        BeWVwZV0tlGkgeShZXFQgRYmRpUQkWFRVCEToaaW59W1pWXm9c
        f1pdVlhca25waEpaX1QUelZcUnJBaW5kR1xFEndhTFQQHRZNFQ
        gCLBpFXBMOG1RaQW9VUBxUTFwVTx97GlsQCxZba25QMggXHhNE
        Gw0Qb1x0WlFQWGVrd0NpWxViQ11PVlFKIHpHXUZHXEVub1VLUE
        ARcFhDUxEsGkEQCwUVFUJdIgIXV0FdWhlXS2UaSB5KFlcVCBFi
        ZGlRAAEbGxBDIgIXbm14VlRTX1xkY1tHVVVTW29cbUZXQxR9Vk
        ZSIhQXRhMOCBsQQ24aDxBHXU9WXldpFlBKVBZEG0kRbhoPEFNo
        ZVQABSIUF0ITDhtrbn9vW1RebWgKAQJxcldCQVRGZWtwQW9PRl
        dDaGViQVZyGHFTRVUbGxBHIgIEHhNEVxUIEWJKWkVCUUsEBAMu
        XU1XE0kVTBBdIgIXUG1oWgYLESwaRRALFmVrflxjWVlubXdWVH
        FcY2RpcENbTkRXQVxkYEFURhlzU0dhGhkQRRYDBh4RcFYXCBNX
        VlRdUC5dTVcTSRVMEF0iAhdQbWhaARAfIkgXCBNoZXtdUGFUaW
         

        {

            “b”: [

                {

                    “n”: “b\\c8”,

                    “p”: “\\Local\\Google\\Chrome\\User Data”,

                    “t”: 1,

                    “pn”: “chrome.exe

                },

                {

                    “n”: “b\\c8”,

                    “p”: “\\Local\\Google\\Chrome SxS\\User Data”,

                    “t”: 1,

                    “pn”: “chrome.exe

                },

                {

                    “n”: “b\\c8”,

                    “p”: “\\Local\\Google\\Chrome Beta\\User Data”,

                    “t”: 1,

                    “pn”: “chrome.exe

                },

                {

                    “n”: “b\\c8”,

                    “p”: “\\Local\\Google\\Chrome Dev\\User Data”,

         
    • https://{IP}/y_e_z6-_osR9tcQ0w8j_CzQ49~Yc–GqAiE4@iDBkRpd (Exfiltrating information)

ACRStealer is capable of exfiltrating information and installing additional malware strains, and the same applies to the modified samples. At the time of analysis, the C2 server responded with a configuration that instructed the malware to exfiltrate sensitive client information, such as information stored in multiple browsers, extension programs, cryptocurrency wallets, email/FTP/cloud storage accounts, sticky notes, account management programs, databases, and remote access programs, as well as document files (doc/txt/pdf) and other types of sensitive information. The configuration also instructed the malware to install additional malware strains.

 

According to an analysis by ProofPoint, ACRStealer has been rebranded as AmateraStealer. With ongoing feature updates, it has become one of the most active infostealer malware variants, requiring users to stay vigilant.

MD5

047135bc4ac5cc8269cd3a4533ffa846
09825dd40ba8ba3c1ce240e844d650a8
20fb6cc7760289d09071f6bbba6ac591
248faa2393653779e971b8d54abd3b4c
2d57b9b630bb9ca18b9f14387febb843
FQDN

178[.]130[.]47[.]243
185[.]100[.]159[.]193
185[.]76[.]243[.]208
185[.]76[.]243[.]214
193[.]32[.]176[.]219

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.

Tags:
Previous Post

Next Post