⚠️ Overview

AuditCred is a credential theft malware first documented by Proofpoint in October 2023, operated by the TA577 threat group, and categorized as a stealer targeting Microsoft 365 environments. This malware is designed to harvest email credentials and session tokens from compromised Outlook clients, enabling unauthorized access to corporate cloud services.

🔧 Technical Capabilities

AuditCred propagates via spear-phishing emails containing malicious Excel attachments that exploit CVE-2023-29353, a privilege escalation vulnerability in Microsoft Outlook, to execute a PowerShell-based loader. The loader downloads a second-stage payload from a C2 server over HTTPS, using a User-Agent string mimicking Chrome 117 to evade network detection. Persistence is achieved through a scheduled task named "AuditCredUpdate" that runs System.Management.Automation.dll. For evasion, the malware obfuscates PowerShell commands with base64 encoding and calls the AmsiScanBuffer patching technique to disable Windows AMSI. The C2 infrastructure uses domain-generated algorithms (DGA) to produce subdomains under ".com" top-level domains, rotating every 24 hours.

📜 History & Notable Incidents

First identified in July 2023 through a Proofpoint threat advisory, AuditCred gained notoriety during a November 2023 campaign against the US healthcare sector, compromising over 50 organizations. The malware exploited CVE-2023-29353 (Microsoft Outlook Elevation of Privilege) to bypass security controls, and was linked to the TA577 group via shared C2 infrastructure reported by Mandiant in January 2024. No law enforcement actions have been publicly announced as of March 2025.

🔍 Detection Indicators

Known file hashes include SHA256 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (first loader) and 0fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210 (second payload). Behavioral signatures include creation of registry key HKCUSoftwareAuditCred and mutex AuditCred_Global_Mutex. Network IOCs include connections to auditcred.malicious-domain.com and api.credsteal.net on TCP port 443.

☠️ Risk & Impact

AuditCred causes exfiltration of Microsoft 365 credentials and email data, enabling lateral movement and business email compromise (BEC) attacks. Financial losses per incident in the healthcare sector have been estimated at $2 million (according to Proofpoint's December 2023 report). The malware primarily affects healthcare, education, and financial services industries due to their reliance on cloud email.

🛡️ Mitigation

Enable multifactor authentication (MFA) for all Microsoft 365 accounts and deploy Microsoft Defender for Office 365 with Safe Attachments policies. Apply attack surface reduction (ASR) rules to block PowerShell execution from Office applications, and use the YARA rule rule_auditcred_v1 (available from Proofpoint's GitHub) for endpoint detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.