{"id":10439,"date":"2025-07-24T12:32:43","date_gmt":"2025-07-24T05:32:43","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10439"},"modified":"2026-02-05T12:32:50","modified_gmt":"2026-02-05T05:32:50","slug":"ma-doc-acrstealer-gia-google-va-steam-de-che-giau-hanh-vi-danh-cap-du-lieu","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/24\/ma-doc-acrstealer-gia-google-va-steam-de-che-giau-hanh-vi-danh-cap-du-lieu\/","title":{"rendered":"M\u00e3 \u0111\u1ed9c ACRStealer gi\u1ea3 Google v\u00e0 Steam \u0111\u1ec3 che gi\u1ea5u h\u00e0nh vi \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u"},"content":{"rendered":"
Trung t\u00e2m T\u00ecnh b\u00e1o An ninh c\u1ee7a AhnLab (ASEC) v\u1eeba ph\u00e1t \u0111i c\u1ea3nh b\u00e1o v\u1ec1 s\u1ef1 tr\u1edf l\u1ea1i c\u1ee7a m\u1ed9t trong nh\u1eefng m\u00e3 \u0111\u1ed9c \u0111\u00e1nh c\u1eafp th\u00f4ng tin (infostealer) nguy hi\u1ec3m – ACRStealer, nay \u0111\u00e3 \u201cti\u1ebfn h\u00f3a\u201d v\u00e0 \u0111\u1ed5i t\u00ean th\u00e0nh AmateraStealer.<\/b>
\n\u200b<\/div>\n
\n
\"1753345914960.png\"<\/div>\n<\/div>\n
\nT\u1eebng xu\u1ea5t hi\u1ec7n t\u1eeb \u0111\u1ea7u n\u0103m, ACRStealer nay \u0111\u00e3 \u0111\u01b0\u1ee3c n\u00e2ng c\u1ea5p to\u00e0n di\u1ec7n v\u1edbi kh\u1ea3 n\u0103ng \u1ea9n m\u00ecnh, v\u01b0\u1ee3t qua gi\u00e1m s\u00e1t, giao ti\u1ebfp kh\u00f3 truy v\u1ebft v\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m. \u0110\u00e2y l\u00e0 m\u1ed9t m\u1ed1i \u0111e d\u1ecda nghi\u00eam tr\u1ecdng, \u0111\u1eb7c bi\u1ec7t v\u1edbi ng\u01b0\u1eddi d\u00f9ng c\u00e1 nh\u00e2n v\u00e0 doanh nghi\u1ec7p nh\u1ecf, nh\u1eefng \u0111\u1ed1i t\u01b0\u1ee3ng th\u01b0\u1eddng \u00edt c\u00f3 h\u1ec7 th\u1ed1ng ph\u00f2ng th\u1ee7 chuy\u00ean s\u00e2u.<\/p>\n

ACRStealer l\u00e0 ph\u1ea7n m\u1ec1m \u0111\u00e1nh c\u1eafp th\u00f4ng tin tinh vi, s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt DDR, Google Docs v\u00e0 Steam \u0111\u1ec3 \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa (C2). N\u00f3 s\u1edf h\u1eefu kh\u1ea3 n\u0103ng tr\u1ed1n tr\u00e1nh ph\u00e1t hi\u1ec7n, ki\u1ec3m so\u00e1t l\u01b0u l\u01b0\u1ee3ng HTTP b\u1eb1ng c\u00e1c k\u1ef9 thu\u1eadt th\u1ea5p c\u1ea5p nh\u01b0 NtCreateFile, c\u00f9ng v\u1edbi ho\u1ea1t \u0111\u1ed9ng l\u00e0m gi\u1ea3 t\u00ean mi\u1ec1n v\u00e0 IP \u0111\u1ec3 g\u00e2y nhi\u1ec5u h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t m\u1ea1ng. C\u00e1c phi\u00ean b\u1ea3n m\u1edbi s\u1eed d\u1ee5ng m\u00e3 h\u00f3a AES-256, c\u00e1c \u0111\u01b0\u1eddng truy\u1ec1n \u0111\u1ed9ng v\u00e0 ng\u1eabu nhi\u00ean \u0111\u1ec3 t\u0103ng kh\u1ea3 n\u0103ng che gi\u1ea5u. C\u01a1 ch\u1ebf ph\u00e1t t\u00e1n g\u1ed3m \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u v\u00ed ti\u1ec1n \u0111i\u1ec7n t\u1eed, th\u00f4ng tin \u0111\u0103ng nh\u1eadp, t\u00e0i li\u1ec7u nh\u1ea1y c\u1ea3m v\u00e0 kh\u1ea3 n\u0103ng m\u1edf r\u1ed9ng t\u1ea5n c\u00f4ng qua c\u00e1c payload ph\u1ee5. G\u1ea7n \u0111\u00e2y, bi\u1ebfn th\u1ec3 ACRStealer \u0111\u00e3 \u0111\u01b0\u1ee3c \u0111\u1ed5i t\u00ean th\u00e0nh AmateraStealer, v\u1eabn gi\u1eef \u0111\u1eb7c \u0111i\u1ec3m l\u00e0 m\u1ed9t trong nh\u1eefng d\u00f2ng ph\u1ea7n m\u1ec1m \u0111\u00e1nh c\u1eafp th\u00f4ng tin ho\u1ea1t \u0111\u1ed9ng m\u1ea1nh v\u00e0 th\u00edch \u1ee9ng nhanh.
\n\u200b<\/p><\/div>\n

C\u00e1ch ACRStealer ho\u1ea1t \u0111\u1ed9ng: Khi b\u1ea1n ch\u01b0a k\u1ecbp nh\u1eadn ra, m\u1ecdi th\u1ee9 \u0111\u00e3 b\u1ecb l\u1ea5y c\u1eafp\u200b<\/div>\n
1. \u1ea8n th\u00e2n tinh vi v\u1edbi Heaven\u2019s Gate<\/p>\n

Phi\u00ean b\u1ea3n m\u1edbi s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt c\u00f3 t\u00ean Heaven\u2019s Gate, cho ph\u00e9p m\u00e3 \u0111\u1ed9c ch\u1ea1y shellcode 64-bit trong ti\u1ebfn tr\u00ecnh 32-bit tr\u00ean Windows. \u0110i\u1ec1u n\u00e0y khi\u1ebfn ph\u1ea7n m\u1ec1m gi\u00e1m s\u00e1t th\u00f4ng th\u01b0\u1eddng r\u1ea5t kh\u00f3 ph\u00e1t hi\u1ec7n, v\u00ec ho\u1ea1t \u0111\u1ed9ng \u0111\u1ed9c h\u1ea1i b\u1ecb che gi\u1ea5u ho\u00e0n to\u00e0n<\/p>\n

2. Kh\u00f4ng d\u00f9ng th\u01b0 vi\u1ec7n b\u00ecnh th\u01b0\u1eddng m\u00e0 d\u00f9ng t\u1eadn l\u00f5i h\u1ec7 \u0111i\u1ec1u h\u00e0nh<\/p>\n

Kh\u00e1c v\u1edbi nhi\u1ec1u m\u00e3 \u0111\u1ed9c d\u00f9ng WinHTTP hay Winsock \u0111\u1ec3 k\u1ebft n\u1ed1i v\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2), ACRStealer giao ti\u1ebfp tr\u1ef1c ti\u1ebfp qua driver h\u1ec7 th\u1ed1ng (AFD) b\u1eb1ng c\u00e1c l\u1ec7nh c\u1ea5p th\u1ea5p nh\u01b0 NtCreateFile v\u00e0 NtDeviceIoControlFile. C\u00e1ch n\u00e0y gi\u00fap qua m\u1eb7t t\u01b0\u1eddng l\u1eeda, h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t m\u1ea1ng ho\u1eb7c c\u00e1c ph\u1ea7n m\u1ec1m ch\u1ed1ng m\u00e3 \u0111\u1ed9c d\u1ef1a v\u00e0o API gi\u00e1m s\u00e1t.<\/p>\n

3. Ng\u1ee5y trang \u0111\u1ecba ch\u1ec9 th\u1eadt b\u1eb1ng \u201ct\u00ean mi\u1ec1n \u0111\u00e1ng tin\u201d<\/p>\n

\u0110\u1ec3 \u0111\u00e1nh l\u1ea1c h\u01b0\u1edbng ng\u01b0\u1eddi ki\u1ec3m tra, m\u00e3 \u0111\u1ed9c gi\u1ea3 v\u1edd li\u00ean l\u1ea1c v\u1edbi c\u00e1c trang web uy t\u00edn nh\u01b0 microsoft.com, google.com, facebook.com\u2026 Nh\u01b0ng th\u1ef1c t\u1ebf l\u1ea1i k\u1ebft n\u1ed1i \u0111\u1ebfn nh\u1eefng \u0111\u1ecba ch\u1ec9 IP \u0111\u1ed9c h\u1ea1i kh\u00e1c. H\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t nh\u00ecn v\u00e0o th\u1ea5y to\u00e0n \u201c\u0111\u1ecba ch\u1ec9 s\u1ea1ch\u201d n\u00ean d\u1ec5 b\u1ecb qua m\u1eb7t.<\/p>\n

ACRStealer \u0111\u00e1nh c\u1eafp nh\u1eefng g\u00ec?\u200b<\/p><\/div>\n