ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

Summary

The ACR Stealer malware, active since 2024, is capable of exfiltrating sensitive data including browser passwords, active session tokens, PDFs, and Microsoft 365 files from synced cloud storage. It achieves initial access through user execution of malicious commands, as detailed by Microsoft's Defender Experts team.

IFF Assessment

FOE

This article details a new malware variant capable of stealing valuable credentials and sensitive documents, posing a direct threat to individuals and organizations.

Defender Context

Defenders should be aware of infostealers like ACR Stealer that target browser data and cloud-synced files. User education on safe command execution and vigilance against social engineering tactics that could lead to such commands are crucial prevention measures. Monitoring for unusual data exfiltration from endpoints and cloud storage should also be prioritized.

Read Full Story →