New ACRStealer Abuses Google Docs and Steam for C2 Server Via DDR Technique

A sophisticated new variant of the ACRStealer information-stealing malware has emerged, demonstrating advanced evasion techniques and leveraging legitimate platforms for covert command-and-control operations.

The malware, which has been actively distributed since early 2024, represents a significant evolution in cybercriminal tactics by exploiting Google Docs and Steam gaming platform as communication channels through a Dead Drop Resolver (DDR) technique.

The latest iteration of ACRStealer showcases remarkable technical sophistication, implementing multiple layers of detection evasion and analysis obstruction techniques.

Unlike traditional malware that relies on direct server communication, this variant utilizes legitimate online services as intermediary platforms, making detection considerably more challenging for security solutions.

The malware’s ability to blend malicious traffic with normal user activity on popular platforms represents a concerning development in the threat landscape.

ASEC analysts identified several critical modifications in the new variant that distinguish it from previous versions.

While the core information theft capabilities remain largely unchanged, the malware now incorporates advanced anti-analysis mechanisms and enhanced stealth features.

The threat actors have continuously developed new variants to expand functionality and improve evasion capabilities, indicating a well-resourced and persistent campaign.

The malware’s communication architecture abandons conventional HTTP libraries in favor of direct interaction with the Windows AFD (Ancillary Function Driver) using low-level NT functions such as NtCreateFile and NtDeviceIoControlFile.

This approach allows attackers to bypass library-based monitoring systems that security tools typically rely upon for network traffic analysis.

Advanced Evasion Through Heaven’s Gate Technique

The modified ACRStealer implements the Heaven’s Gate technique for executing critical functions, particularly during comman sophisticated method enables the execution of x64 code within WoW64 processes, effectively disrupting both automated detection systems and manual analysis efforts.

Heaven’s Gate operates by switching between x86 and x64 execution modes within the same process, creating a complex execution flow that confuses many security monitoring tools.

The technique proves particularly effective because it exploits the architectural differences between 32-bit and 64-bit Windows systems.

When the malware needs to perform sensitive operations like establishing C2 connections or exfiltrating data, it transitions to x64 mode execution, making it extremely difficult for traditional analysis tools to follow the execution path.

This implementation suggests the threat actors possess advanced technical knowledge and are specifically targeting enterprise environments where such evasion techniques prove most effective.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now