Google Docs tapped by ACRStealer malware for C2

Information-stealing malware ACRStealer has followed the lead of the LummaC2 infostealer in leveraging legitimate platforms to facilitate its distribution, having added Google Docs as a means for covert command-and-control communications, reports Cybernews.

Attacks involved the retrieval and decoding of the legitimate C2 domain in base64, enabling ACRStealer to exfiltrate browser data, FTP credentials, text files, emails, chat logs, remote access program information, password manager details, VPN data, browser extension information, and database details, according to findings from AhnLab Security Intelligence Center researchers. Other services used by ACRStealer for intermediary C2 include Steam and telegra.ph. Such a development comes after a Hudson Rock report detailing infostealer attacks against the U.S. military and defense sector, impacting not only more than 500 employees from major defense and aerospace contractors Honeywell, Boeing, Lockheed Martin, and Leidos, but also hundreds other Army and Navy computers. Infostealers were also noted by Palo Alto Networks Unit 42 to be the leading threat faced by macOS devices.