AmateraStealer (ACRStealer) Evolves: New Version Uses Low-Level NTAPIs & Heaven’s Gate for Evasion

ACRStealer—recently rebranded as AmateraStealer—has emerged as one of the most sophisticated infostealers in the wild, marked by relentless updates and increasingly evasive techniques. According to a detailed report by the AhnLab Security Intelligence Center (ASEC), the malware has undergone substantial modifications in 2024, enhancing its detection evasion, data exfiltration, and communication methods.

Initially known for abusing Google Docs and Steam as Command and Control (C2) channels via a Dead Drop Resolver (DDR), ACRStealer has shifted to more direct and obscure techniques. The latest version exhibits a stark evolution in stealth strategy. Rather than relying on typical libraries such as WinHTTP or Winsock, the malware now uses low-level NT functions—notably NtCreateFile and NtDeviceIoControlFile—to establish socket communication by interacting directly with the AFD driver.

“This method allows attackers to bypass library-based monitoring. It is suspected that the threat actor referred to an open-source project called ‘NTSockets’,” ASEC explains.

Additionally, ACRStealer employs the Heaven’s Gate technique to execute x64 code in WoW64 processes, which hinders traditional analysis on x86 processors and is commonly used by service-type malware to evade scrutiny.

To further obscure its C2 connections, ACRStealer hardcodes legitimate domain names in the HTTP header while communicating with a separate C2 IP address. This misdirection can deceive network monitoring tools.

“So far, micosoft.com, avast.com, facebook.com, google.com, and pentagon.com have been used as disguise domains,” ASEC reports.

The malware’s latest versions also introduce multi-layered encryption. Earlier iterations relied on Base64 and RC4 encryption for configuration files and used standard HTTP(S) endpoints. Later versions switched to HTTPS with self-signed certificates, enabling custom host modification while abandoning services like Cloudflare.

To complicate analysis further, an additional AES-256 (CBC) encryption layer was added to the communication stream:

• Key: 7640FED98A53856641763683163F4127B9FC00F9A788773C00EE1F2634CEC82F
• IV: 55555555555555555555555555555555

A significant innovation is the use of server-issued dynamic paths. Instead of fixed endpoint URLs like /Up/x, the malware now requests randomized endpoints using JSON-based POST requests. This adds complexity to detection and sandbox analysis.

“An additional step was added to the C2 communication process to implement this feature… the process of requesting configuration data from the C2 server has changed from the previous GET method to the POST method,” the report notes.

The malware is engineered to harvest a broad range of sensitive information, including:

• Browser credentials (Chrome, Chrome SxS, Beta, Dev)
• Cryptocurrency wallets
• FTP/email/cloud storage accounts
• Sticky notes, account management apps
• Databases and RDP credentials
• PDF, TXT, DOC documents

It also retains the capability to install additional malware strains based on server-side instructions.

Related Posts:

• ACRStealer Malware Exploits Google Docs as Command-and-Control Infrastructure
• Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
• Bill Gates says Cryptocurrencies are leading to “death” and are very risky