New Variant of ACRStealer Actively Distributed with Modifications

SUMMARY :

A modified version of the ACRStealer infostealer is being actively distributed, featuring enhanced detection evasion and analysis obstruction techniques. The malware uses the Heaven's Gate technique for executing x64 code in WoW64 processes and implements low-level NT functions for C2 communications. It employs domain disguising, self-signed certificates, and data encryption. Recent variants have introduced random string paths for exfiltration and changed the configuration request method. ACRStealer, now rebranded as AmateraStealer, can steal sensitive information from various sources and install additional malware. The ongoing feature updates make it one of the most active infostealer variants, posing a significant threat to users.

OPENCTI LABELS :

infostealer,anti-analysis,c2 communication,heaven's gate,acrstealer,amaterastealer,data encryption,detection evasion


AI COMMENTARY :

1. Introduction: The cybersecurity community has recently identified a new modified variant of the ACRStealer infostealer that is being actively distributed with significant enhancements. Dubbed AmateraStealer in its latest evolution, this threat actor has incorporated advanced mechanisms to slip past conventional defenses. The revamped malware maintains its core objective of pilfering sensitive user data while adopting fresh tactics to remain undetected for longer periods. Analysts first flagged this threat when unexpected network traffic surfaced, leading to a deeper investigation that revealed the full extent of its capabilities.

2. Detection Evasion and Anti-Analysis Techniques: The new variant employs sophisticated detection evasion methods to avoid sandbox and virtual machine environments. It leverages the Heaven’s Gate technique, which allows 64-bit instructions to execute within a 32-bit WoW64 process context, confounding typical analysis tools. Additionally, AmateraStealer uses domain disguising strategies alongside self-signed certificates to hide command and control (C2) endpoints. All harvested data is encrypted before exfiltration, further complicating threat intelligence efforts aimed at intercepting and decoding stolen information.

3. Enhanced C2 Communication: At the heart of this infostealer’s resilience lies its low-level implementation of NT functions for C2 communications. By bypassing higher-level APIs, it minimizes detectable network footprints and evades endpoint protections that rely on monitoring common Windows networking calls. The malware also adapts its configuration request method, switching protocols dynamically based on environmental checks, and uses a combination of domain generation and encryption routines to maintain a secure channel with its operators even under heightened scrutiny.

4. Advanced Exfiltration Mechanisms: Recent iterations of the malware introduce randomized string paths for exfiltration, ensuring that each data transfer appears unique. This unpredictability hinders signature-based detection and makes it difficult for defenders to block outbound traffic effectively. The altered configuration request process also adds variability to each infection, reducing the chances that repeated patterns will be flagged by intrusion detection systems. These changes demonstrate the author’s commitment to staying one step ahead of defenders by constantly refining exfiltration tactics.

5. Rebranding and Expanded Capabilities: Once known as ACRStealer, the infostealer’s rebranding to AmateraStealer comes hand in hand with expanded functionality. Beyond harvesting passwords, cookies, and cryptocurrency wallets, the malware now can drop additional payloads such as remote access trojans or ransomware. This modular approach enables threat actors to pivot mid-campaign, choosing to monetize infections through multiple avenues. The evolving feature set, including support for new file types and browser profiles, solidifies AmateraStealer’s position as one of the most active and versatile infostealer variants in circulation today.

6. Threat Assessment and Mitigation Strategies: The ongoing updates and aggressive distribution of AmateraStealer represent a significant threat to both individual users and corporate environments. Security teams should prioritize behavioral analysis solutions capable of detecting unusual use of NT functions and monitor for anomalous WoW64 process activity. Enforcing strict certificate validation policies and employing network segmentation can disrupt its domain disguising efforts. Regularly updating endpoint protection software and conducting threat hunting exercises focused on anti-analysis indicators will help organizations stay resilient against this dynamic infostealer.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Variant of ACRStealer Actively Distributed with Modifications