general · BleepingComputer
Microsoft has observed a surge in ACR Stealer attacks targeting its enterprise customers between late April and mid-June. The malware-as-a-service operation, believed to be a rebranding of Amatera Stealer, uses social engineering (ClickFix), WebDAV servers, and the MSHTA utility to deliver info-stealing payloads. The two most prevalent delivery chains involve either executing a malicious DLL via rundll32.exe from a WebDAV share, or using MSHTA to retrieve and execute obfuscated PowerShell downloaders that extract encrypted payloads from steganographic images. Once deployed, ACR Stealer targets browser-stored passwords, cookies, session data, authentication tokens, DPAPI-protected browser data, Chromium browser databases, PDFs, Microsoft 365 documents, and files from Desktop, Downloads, OneDrive, and SharePoint directories.
Defense contractors handling controlled unclassified information (CUI) should assess their endpoint detection and response (EDR) coverage to catch obfuscated PowerShell execution and suspicious scheduled tasks masquerading as software updates. SaaS platforms in SOC2 observation should review application-layer controls that restrict launching unsigned remote content via PowerShell, Python, mshta.exe, and rundll32.exe from non-standard paths. Healthcare and fintech organizations subject to HIPAA and PCI DSS should prioritize web-filtering rules that block low-reputation domains and restrict unnecessary external resource access. All regulated industries should review their user awareness training to reduce ClickFix social-engineering susceptibility. An Omniware engagement can scope detection gaps, persistence mechanisms, and data exfiltration vectors specific to your environment.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/microsoft-warns-of-surge-in-acr-stealer-attacks-on-customers/
Source: BleepingComputer
All briefings