Information-stealing malware ACRStealer added Google Docs as a means for covert command-and-control communications, reports Cybernews.
ACRStealer followed the lead of the LummaC2 infostealer in leveraging legitimate platforms to facilitate its distribution, Cybernews said.
Attacks involved the retrieval and decoding of the legitimate C2 domain in base64, enabling ACRStealer to exfiltrate browser data, FTP credentials, text files, emails, chat logs, remote access program information, password manager details, VPN data, browser extension information, and database details, according to findings from AhnLab Security Intelligence Center researchers.
Other services ACRStealer uses for intermediary C2 include Steam and telegra.ph. The development comes after a Hudson Rock report detailing infostealer attacks against the U.S. military and defense sector, impacting more than 500 employees from major defense and aerospace contractors Honeywell, Boeing, Lockheed Martin, and Leidos, and hundreds of other Army and Navy computers.
Palo Alto Networks Unit 42 noted that infostealers are the leading threat faced by macOS devices.
