This post is also available in:
עברית (Hebrew)
In a disturbing new trend, hackers are using legitimate platforms like Google Docs to secretly control malware designed to steal sensitive data from users, according to a report by AhnLab Security Intelligence Center (ASEC). This new malware uses a tactic known as “malware-as-a-service,” which is making it more difficult for security systems to detect threats and is increasingly being used to target both individuals and organizations worldwide.
Infostealer malware operates in the background, making it extremely challenging to spot. Once it infects a system, it silently harvests sensitive data such as login credentials, credit card details, chat logs, browsing history, and more. These malicious programs are typically delivered through phishing attacks, compromised websites, masquerading as pirated software or malicious attachments.
One of the most notorious infostealers is LummaC2, which has been active since 2022. It targets browsers, stealing critical information like passwords, cookies, and autofill data. However, a newer player, ACRStealer, has recently been discovered by AhnLab Security Intelligence Center (ASEC). This Infostealer has been gaining traction in the cybercrime scene, specializing in stealing system data, credentials, cryptocurrency wallet details, and configuration files from various programs.
What sets ACRStealer apart is its use of trusted platforms to communicate with its command-and-control (C2) servers. Rather than embedding the C2 address directly in the malware, attackers use platforms like Google Docs, Steam, and Telegra.ph as intermediaries. By encoding the C2 address in Base64 and storing it on these trusted sites, attackers can avoid detection, making the malware harder to track. This method, known as Dead Drop Resolver (DDR), allows the malware to function with minimal risk of being detected by security software.
The type of data ACRStealer is capable of stealing is extensive. It includes not only browser data, but also text files, FTP credentials, remote access program details, and VPN information. The malware even targets password managers and chat logs, making it a potent tool for cybercriminals seeking to gather sensitive information.
As cybercriminals continue to evolve their tactics, both individuals and organizations must stay proactive in their cybersecurity efforts. The use of trusted platforms as delivery methods for malware only underscores the growing complexity of modern cyberattacks.
