ACR Stealer, a malware that has been active since 2024, is capable of extracting saved browser passwords, active session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders from enterprise networks. This threat gains access through user interaction, specifically when an individual pastes a command into the Run dialog and executes it, according to a recent report by The Hacker News.Microsoft has detailed two primary intrusion chains used by ACR Stealer. Both chains begin with a user pasting a command, but diverge in their execution. One method involves a fileless approach where a command spawns mshta.exe to fetch remote HTA content, which then decodes and executes PowerShell in memory. This PowerShell script retrieves a JPEG image containing the payload, which is then decrypted and executed. The malware targets credentials from Chrome and Edge browsers by accessing their databases and using DPAPI for decryption. The second chain, which leaves more traces on disk, involves downloading a DLL from a WebDAV share. This DLL is then executed, often disguised as a legitimate file. In some instances, a secondary Python loader communicates with blockchain RPC endpoints to retrieve payloads or command and control addresses.Neither attack chain exploits a software vulnerability; instead, they rely on social engineering and user execution. The lures used are often disguised as legitimate software updates or impersonate popular AI assistants, leading users to inadvertently execute malicious commands. This reliance on user interaction means traditional patching is insufficient to prevent these attacks.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds




