Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)

Key Points:

• ACR Stealer malware is being distributed via fake download pages impersonating the application Claude, with malicious ads leading users to these sites.
• The malware targets both macOS and Windows users, displaying tailored instructions based on the operating system. Affected systems include any that follow the download instructions from these deceptive pages.
• Security teams should block access to the identified malicious domains, monitor for the specified SHA256 hashes, and educate users about the risks of downloading software from unverified sources.

Technical Details: The malware utilizes a command-and-control (C2) domain for post-infection traffic. Notably, the SHA256 hashes for the initial and follow-up downloads are provided: initial download hash is 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2, and follow-up PowerShell script hash is a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned:

• Initial download SHA256: 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2
• Follow-up PowerShell script SHA256: a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692
• Further download SHA256: 47fa746422f1bf6b7712dc6803378e6a995488007193a7441d790f70d204728f