```

A persistent infostealer campaign is successfully bypassing traditional defenses by manipulating users into executing malicious code themselves, leading to the theft of active cloud session tokens and sensitive corporate files.

According to research highlighted by The Hacker News, the malware known as ACR Stealer, active since 2024, leverages a social engineering tactic called "ClickFix" to gain initial access. This method involves deceiving a user—often through a phishing email or fraudulent website—into copying a command and pasting it into a system's Run dialog or a terminal. The user then presses Enter, unknowingly executing the malware payload.

Once installed, ACR Stealer targets a high-value combination of data. It harvests saved browser credentials and, critically, live session tokens for services like Microsoft 365. With these tokens, an attacker can hijack an active, authenticated session without needing a username or password, bypassing multi-factor authentication protections entirely. The malware also exfiltrates files, specifically targeting PDFs and Office documents, as well as entire folder structures from OneDrive and SharePoint if they are synced to the local machine.

The campaign's reliance on the user performing a manual action highlights a persistent challenge in enterprise security. While technical controls have grown more sophisticated, attackers increasingly target the "human element," using trust and confusion to circumvent safeguards. The ClickFix method is particularly effective because it often appears as a benign troubleshooting step to the victim.

The implications for organizations using cloud-based collaboration platforms like Microsoft 365 are severe. A stolen session token can grant persistent access to email, internal files, and team communications. Combined with exfiltrated documents, this presents a comprehensive data breach scenario. The theft of locally synced cloud files further demonstrates how attackers are moving beyond simple credential theft to directly harvest valuable intellectual property and sensitive documents at their source.

For IT and security professionals, this reinforces the need for a layered defense. Security awareness training must evolve to include warnings about deceptive commands that ask users to execute system-level instructions. Technical controls should include endpoint detection solutions capable of identifying suspicious process execution patterns and the exfiltration of credential material. Furthermore, enforcing strict conditional access policies and session lifetime limits for cloud services can help mitigate the damage if a token is compromised.

The persistence of ACR Stealer since 2024 indicates that these tactics remain effective, posing an ongoing risk to organizations worldwide. The campaign serves as a stark reminder that security ultimately relies on both robust systems and informed users who understand that even seemingly simple actions can have major consequences.


一場持續進行的資訊竊取惡意軟件活動,正透過操縱用戶自行執行惡意代碼的方式,成功繞過傳統防禦機制,導致活躍的雲端工作階段令牌及敏感企業文件遭竊。

據 The Hacker News 報導的研究指出,自 2024 年起活躍、名為 ACR Stealer 的惡意軟件,利用一種稱為「ClickFix」的社會工程學策略來取得初始存取權限。此方法涉及欺騙用戶——通常透過釣魚電郵或欺詐網站——複製一段指令並貼到系統的「執行」對話框或終端機中。用戶隨後按下 Enter 鍵,在不知情的情況下執行了惡意軟件的有效負載。

一旦安裝完成,ACR Stealer 會鎖定一組高價值的數據。它會收割儲存的瀏覽器憑證,更關鍵的是擷取 Microsoft 365 等服務的即時工作階段令牌。攻擊者利用這些令牌,無需用戶名稱或密碼,即可劫持一個已驗證的活躍工作階段,完全繞過多重因素驗證保護。該惡意軟件還會竊取檔案,特別針對 PDF 和 Office 文件,以及若已同步至本地機器的 OneDrive 和 SharePoint 的整個資料夾結構。

這項活動依賴用戶執行手動操作,凸顯了企業安全中一項持久的挑戰。儘管技術控制措施日益複雜,攻擊者卻越來越多地鎖定「人為因素」,利用信任和混淆來規避安全措施。ClickFix 方法尤其有效,因為它對受害者而言,通常看似一個良性的故障排除步驟。

對於使用 Microsoft 365 等雲端協作平台的組織而言,其影響極為嚴重。遭竊的工作階段令牌可授予對電郵、內部檔案及團隊通訊的持續存取權限。加上被竊取的文件,這便構成了一個全面的數據洩露場景。本地同步的雲端檔案遭竊,進一步顯示攻擊者正超越簡單的憑證竊取,直接在源頭收割有價值的知識產權和敏感文件。

對於 IT 和安全專業人員而言,這再次強調了多層防禦的必要性。安全意識培訓必須進化,加入關於要求用戶執行系統級指令的欺詐性指令的警告。技術控制措施應包括能夠識別可疑進程執行模式及憑證材料竊取的端點檢測解決方案。此外,對雲端服務強制實施嚴格的條件式存取策略及工作階段時長限制,有助於在令牌遭洩露時減輕損害。

ACR Stealer 自 2024 年以來的持續存在,表明這些戰術依然有效,對全球組織構成持續風險。這項活動是一個嚴峻的提醒:安全最終依賴於強健的系統與知情的用戶——後者需明白,即使看似簡單的操作,也可能帶來重大後果。

新聞來源 / Original News Source