New ACRStealer Exploits Google Docs and Steam for C2 Server Using DDR Technique

ACRStealer, an infostealer malware that has been circulating since last year and gained momentum in early 2025, continues to evolve with sophisticated modifications aimed at evading detection and complicating analysis.

Initially documented by AhnLab Security Intelligence Center (ASEC) for leveraging Google Docs and Steam as command-and-control (C2) servers through the Dead Drop Resolver (DDR) technique, the malware has now introduced a range of enhancements in its latest variants.

These updates focus on bypassing traditional monitoring tools while maintaining core information theft capabilities, such as extracting data from browsers, cryptocurrency wallets, email clients, FTP accounts, cloud storage, sticky notes, account managers, databases, remote access tools, and document files like DOC, TXT, and PDF.

Additionally, it facilitates the installation of supplementary malware strains, making it a persistent threat in the cybersecurity landscape.

Evolution of ACRStealer

The threat actors behind ACRStealer have incorporated techniques like Heaven’s Gate, which enables the execution of x64 code within WoW64 processes, specifically during critical operations such as C2 connections.

This method, often employed in service-oriented malware for its restrictive compatibility with x86 processors, disrupts dynamic analysis and signature-based detection by obfuscating code execution flows.

In a departure from conventional C2 communication libraries like WinHTTP or Winsock, the modified ACRStealer directly interfaces with the Ancillary Function Driver (AFD) using low-level NT functions, including NtCreateFile and NtDeviceIoControlFile, to handle socket operations.

This approach assembles HTTP structures manually, effectively sidestepping library-level monitoring and hooking mechanisms.

Analysis suggests the implementation draws from the open-source NTSockets project, allowing attackers to maintain stealth during network interactions.

Furthermore, the malware hardcodes separate host domain addresses and IP addresses in HTTP request headers, with some variants masquerading as legitimate domains such as microsoft.com, avast.com, facebook.com, google.com, or pentagon.com to mislead monitoring tools.

In certain samples, these disguise tactics result in tools like VirusTotal displaying benign domains instead of the actual malicious IPs, such as 85.208.139.75, thereby complicating threat attribution and response efforts.

Enhanced C2 Protocols

The configuration data encryption remains consistent with prior versions, employing Base64 followed by RC4 with the key “852149723×00”, while C2 communications utilize HTTP or HTTPS protocols to fetch configurations and exfiltrate stolen data.

Early iterations relied on CloudFlare-hosted servers, limiting host modifications to HTTP samples, but newer variants incorporate self-signed certificates for HTTPS, enabling domain spoofing without cloud dependencies.

An additional layer of AES-256 in CBC mode, using a hardcoded key (7640FED98A53856641763683163F4127B9FC00F9A788773C00EE1F2634CEC82F) and initialization vector (55555555555555555555555555555555), encrypts transmitted payloads, prefixed with “enc_” in URLs to differentiate from legacy servers.

Recent samples have further refined C2 processes by adopting dynamic, server-issued random strings for paths, replacing static ones like /Up/x, and shifting configuration requests from GET to POST methods with JSON-structured data.

This introduces an initial handshake to retrieve endpoint paths, enhancing adaptability and reducing pattern-based detection.

According to ProofPoint analysis, ACRStealer has been rebranded as AmateraStealer, reflecting ongoing feature expansions that position it among the most active infostealers.

Users must exercise caution, as variants continue to proliferate with MD5 hashes like 047135bc4ac5cc8269cd3a4533ffa846 and associated FQDNs, with additional indicators available on AhnLab TIP.

Indicators of Compromise (IOC)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now