Trojan:Win32/Acll is a stealer malware detected by Microsoft Defender. It targets sensitive information, login credentials, personal details, and financial data. It spreads through pirated software, malicious ads, or bundles.
Trojan:Win32/Acll Overview
Trojan:Win32/Acll is a stealer-type malicious software coded in Python. It is designed to extract and transmit sensitive information from devices. Such malware targets a wide range of data, including system information, login credentials, personal details, and financial data. In addition to extracting data from various applications such as browsers, email clients, messengers, and others, Trojan:Win32/Acll can grab files, do keylogging, manipulate clipboards, and perform other spyware functionalities.
It spreads through ways typical for other spyware – malicious email attachments and pirated applications. However, some of the samples appear to mimic hardware management tools, specifically fan controlling utilities and UEFI parameter modifiers. In this way, malware can obtain highest privileges, as such software commonly requires root-level access to work.
Technical Analysis
Let’s look at how Trojan:Win32/Acll behaves in the system. Despite most of the samples being a rather recent discovery, there are quite a few researches upon each of them, meaning that the malware is pretty widespread. Before starting its dirty deeds, it performs checks for the signs of virtualization in the environment. This reconnaissance helps Acll to avoid analysis or sandboxing. Malware checks the following locations:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
These keys contain the user’s certificate stores, enforce the use of cryptographic algorithms, and control various aspects of system behavior and security. Malware also uses code obfuscation and other tricks to avoid detection.
Mutex Creation & Privilege Escalation
After reassuring it is not running in a compromising environment, Trojan:Win32/Acll creates mutexes to prevent more than one instance from running at the same time:
Local\SM0:3648:304:WilStaging_02
Local\SM0:5144:304:WilStaging_02
Then, the malware manipulates files and adds itself to the Task Scheduler to provide regular startups. Also, it creates entries in the Run registry keys, making the system run the malware upon startup.
schtasks /create /f /RU "%USERNAME%" /tr "%ProgramData%\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5
Creating these hooks finalizes the preparations, as the malware then switches to loading DLLs and launching at its full power. By using the C:\Windows\System32\wuapihost.exe -Embedding command, Acll performs sideloading and is ready to the next step.
Data Collection
As I said before, Trojan:Win32/Acll is an infostealer, with a specific target on sensitive user data and cryptocurrency wallets. The malware attempts to collect credentials as a hash or password in plaintext. In addition to searching on the device, it tries to retrieve passwords from shared password storage locations and browser folders. Acll checks the following locations:
C:\Program Files\Common Files\SSL\openssl.cnf
C:\Users\
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\
C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\user\AppData\Local\Vivaldi\User Data
C:\Users\user\AppData\Roaming\Opera Software\Opera GX Stable
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data
Further, it switches to desktop cryptocurrency wallets. The list of targeted ones is not massive, but I am sure it is just the matter of time for this malware to start targeting others.
C:\Program Files\Common Files\SSL\cert.pem
C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
C:\Users\user\AppData\Roaming\Electrum\wallets
C:\Users\user\AppData\Roaming\Ethereum\keystore
C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
C:\Users\user\AppData\Roaming\bytecoin
Same story is about FTP and VPN credentials. Reviewed samples targeted only FileZilla, OpenVPN and NordVPN (if targeted them at all), but such functionality is not hard to implement. I would still recommend to reset all the passwords that were kept in this or another way on the affected device.
Data Exfiltration
After collecting the information, Trojan:Win32/Acll sends it to C2. Several Win32/Acll samples use the Telegram bot as an intermediate server, as evidenced by its network activity:
https://api.telegram[.]org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendDocument
In addition to Telegram, the malware uses various cloud services, including OneDrive, Microsoft Azure, EdgeCast (Verizon Media), and others. Here is the list of IP addresses:
TCP 204.79.197.203:443
TCP 34.117.186.192:443
TCP 149.154.167.220:443
TCP 20.99.186.246:443
How To Remove Trojan:Win32/Acll?
To remove Trojan:Win32/Acll, I recommend using GridinSoft Anti-Malware, which you can download and install from the link below. After installation, run a Full scan and let it finish, so the program will find all the malware-related files. In addition to malware removal, GridinSoft Anti-Malware can provide proactive protection and internet security. This will help prevent malware installation even at the download stage.
