Full Report
Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer. The AhnLab Security Intelligence Center (ASEC) said it has observed a spike in the distribution volume of ACR Stealer since January 2025. A notable aspect of the stealer malware is the use of a technique called dead drop
Analysis Summary
# Tool/Technique: Lumma Stealer and ACR Stealer Campaign
## Overview
A recent malware campaign is actively distributing information stealers, specifically **Lumma Stealer** and **ACR Stealer**, by using cracked versions of legitimate software as a lure on compromised systems. ACR Stealer, in particular, has shown a spike in distribution volume since January 2025.
## Technical Details
- Type: Malware family (Information Stealers)
- Platform: Windows (Inferred from execution patterns like PowerShell and MMC)
- Capabilities: Information harvesting (credentials, browser data, cryptocurrency wallet data), C2 communication via "dead drop resolver" technique.
- First Seen: ACR Stealer distribution spike reported since January 2025.
## MITRE ATT&CK Mapping
Information related to the C2 communication technique is mapped:
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- **T1071.001 - Web Protocols** (Used conceptually when accessing legitimate services for C2 resolution)
- **T1102 - Web Service**
- **T1102.001 - Dead Drop Resolver** (Explicitly mentioned for ACR Stealer C2 retrieval)
## Functionality
### Core Capabilities
- Installation and execution via lure documents (cracked software).
- Harvesting extensive sensitive data from infected endpoints.
- Exfiltration of stolen information to threat actor-controlled infrastructure.
### Advanced Features
- **Dead Drop Resolver C2:** ACR Stealer uses this sophisticated technique to locate its actual Command and Control (C2) domain. It retrieves the C2 address from specific pages on legitimate services (Steam, Telegram's Telegraph, Google Forms, and Google Slides), where the domain is encoded in Base64.
## Indicators of Compromise
*Note: The article does not provide specific hashes or network indicators for the Lumma/ACR Stealer campaign utilizing cracked software, only behavioral patterns.*
- File Hashes: [Not provided in the context]
- File Names: [Inferred to be related to names of cracked software]
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 servers resolved dynamically via legitimate third-party services (Steam, Telegraph, Google Forms, Google Slides).
- Behavioral Indicators: Accessing specific pages on external services to decode a Base64 string representing the actual C2 domain.
## Associated Threat Actors
- The specific threat actor group responsible for this particular campaign is **not explicitly named** in the provided context, only that ASEC observed the activity.
## Detection Methods
- Signature-based detection: Requires signatures for Lumma Stealer and ACR Stealer payloads.
- Behavioral detection: Monitoring for processes accessing web services (Google Forms/Slides/Telegram) to decode and retrieve encoded strings, which is indicative of a dead drop resolver implementation.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Prevention:** Exercise extreme caution when downloading or running "cracked" or pirated software, as this is the primary infection vector.
- **Hardening:** Implement strict application whitelisting policies.
- **Network Monitoring:** Monitor outbound traffic for abnormal requests to legitimate services (like Google Forms) storing unusual plaintext or encoded data structures if known C2 patterns are established.
## Related Tools/Techniques
- **Rhadamanthys Stealer:** Mentioned as being distributed via a separate campaign utilizing CVE-2024-43572 exploits embedded in `.MSC` files disguised as MS Word documents.
- **Zhong Stealer:** Mentioned as being distributed by exploiting chat support platforms like Zendesk.
- **Hijack Loader:** Previously used to distribute ACR Stealer.
- **CVE-2024-43572 (GrimResource):** A vulnerability in `apds.dll` exploited in the Rhadamanthys distribution process.
---
# Tool/Technique: Rhadamanthys Stealer via MSC files
## Overview
A secondary malware campaign observed by ASEC involves the delivery of the **Rhadamanthys Stealer** malware using executable files with the `.MSC` extension, which are executed by the Microsoft Management Console (MMC). These files are often disguised as infected MS Word documents.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows
- Capabilities: Delivery via `.MSC` files, execution using MMC, exploitation of CVE-2024-43572 or direct execution via Console Taskpad.
- First Seen: Associated campaign observed recently by ASEC.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- **T1204 - User Execution**
- **T1204.002 - Malicious File**
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (By disguising the MSC file as a Word document)
- **T1127 - Trusted Developer Utilities** (Use of MMC)
## Functionality
### Core Capabilities
- Disguising execution payload as a common document type (MS Word).
- Executing arbitrary code via the Microsoft Management Console (`.MSC` file).
- Downloading and executing a PowerShell script from an external source, which delivers the final Rhadamanthys dropper EXE.
### Advanced Features
- **Vulnerability Exploitation:** One variant of the `.MSC` malware exploits **CVE-2024-43572 (GrimResource)** in `apds.dll`.
- **Taskpad Execution:** Another variant leverages the 'command' command using Console Taskpad functionality to achieve execution without relying solely on the vulnerability.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Files with the `.MSC` extension disguised as MS Word documents.
- Registry Keys: [Not provided in the context]
- Network Indicators: PowerShell script download source is external.
- Behavioral Indicators: Execution of an `.MSC` file resulting in the download of an EXE via PowerShell.
## Associated Threat Actors
- Not explicitly named in the context.
## Detection Methods
- Signature-based detection: Signatures for the Rhadamanthys dropper EXE.
- Behavioral detection: Monitoring for the execution of `.MSC` files initiating network connections or executing PowerShell scripts.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Patching:** Ensure systems are patched against **CVE-2024-43572** (Microsoft patched this vulnerability in October 2024).
- **Application Control:** Restrict the execution of `.MSC` files where possible, or monitor heavily for their invocation using MMC.
- **Script Execution Control:** Limit or audit PowerShell execution from unusual parent processes.
## Related Tools/Techniques
- **CVE-2024-43572 (GrimResource):** The vulnerability exploited by one delivery variant.
- **Lumma Stealer and ACR Stealer:** Other stealers currently in circulation.
---
# Technique: Dead Drop Resolver for C2 Communication
## Overview
The **Dead Drop Resolver** is a command-and-control (C2) technique used by the threat actor behind ACR Stealer to obscure the true location of their infrastructure. Instead of hosting the C2 on a dedicated malicious domain, they embed the actual C2 address on seemingly legitimate, trusted web services.
## Technical Details
- Type: Technique
- Platform: All (Relies on external web services)
- Capabilities: Hiding the actual C2 address by encoding it (Base64) and placing it on public/trusted platforms.
- First Seen: Used by ACR Stealer in this modern campaign (spike since Jan 2025).
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- **T1102 - Web Service**
- **T1102.001 - Dead Drop Resolver**
## Functionality
### Core Capabilities
- The attacker posts the Base64 encoded C2 domain to a specific, designated page hosted on a legitimate service (e.g., Google Forms).
- The malware accesses this page, parses the content, decodes the string, and retrieves the final C2 address for communication.
### Advanced Features
- **Evasion:** Leverages the reputation of services like Steam, Telegram's Telegraph, Google Forms, and Google Slides to bypass network filtering that typically monitors traffic only to unknown or flagged domains.
## Indicators of Compromise
- File Hashes: [N/A - Technique based]
- File Names: [N/A - Technique based]
- Registry Keys: [N/A - Technique based]
- Network Indicators: Outbound connections to legitimate services such as `forms.google.com`, `telegraph.com`, or `slides.google.com` containing specific, non-standard traffic patterns indicative of C2 retrieval requests.
- Behavioral Indicators: Processes accessing external web pages, parsing the return content, and executing Base64 decoding functions immediately prior to making new external connections.
## Associated Threat Actors
- Threat actors utilizing **ACR Stealer** in the current campaign.
## Detection Methods
- Signature-based detection: [Not effective for network activity alone]
- Behavioral detection: Monitoring for applications accessing URLs on known legitimate platforms and subsequently using decoding APIs or functions on the retrieved content. Anomaly detection based on content retrieved from these services.
- YARA rules: [Not applicable]
## Mitigation Strategies
- **Network Egress Filtering:** While challenging due to the use of trusted services, security teams can monitor traffic to these platforms for deviations in content requests or user-agent strings.
- **Application Control:** Restrict which processes are allowed to make HTTP/S connections that might lead to C2 resolution.
## Related Tools/Techniques
- **Lumma Stealer:** Used concurrently in the same campaign.
- **General C2 Obfuscation:** Any technique that hides C2 infrastructure using legitimate services.