Amatera Stealer: A Deep Dive into Rebranded Malware and Evasion Techniques

Amatera Stealer: A New Threat in the Malware Landscape

• 💡 Amatera Stealer is identified as a rebranded and actively developed variant of the former ACR Stealer.
• 🎯 It operates as a Malware-as-a-Service (MaaS), offering advanced evasion techniques and improved sophistication.
• 🔑 The landscape of information stealers is dynamic, with Amatera emerging as a significant threat following disruptions to competitors like Lumma.

Distribution and Social Engineering Tactics

• 🚀 Amatera is primarily distributed via ClearFake web injects and the ClickFix technique.
• ⚠️ ClickFix tricks users into updating software or solving captchas, leading them to copy and run PowerShell commands on their own systems.
• 🌐 This technique is widely adopted across various threat actors, indicating its high effectiveness and believability.
• 🔗 Ether hiding is another technique observed, utilizing Binance smart contracts to store malicious JavaScript and commands, making them harder to block.

Advanced Evasion and Command & Control

• 🛡️ Amatera employs advanced anti-analysis features and sophisticated malware capabilities.
• 🔌 It utilizes NTSockets for stealthy Command and Control (C2) communication, bypassing common Windows networking APIs used for detection.
• 🚫 C2 communication is conducted via IP addresses, often leveraging CDN endpoints like Cloudflare, making it difficult to block without impacting legitimate services.
• 📈 The malware also avoids DNS monitoring for C2, further enhancing its stealth.

Stealer Capabilities and Market Position

• 💾 Amatera Stealer targets a wide range of sensitive data, including passwords, crypto wallets, files on disk, and browser cookies.
• ⚙️ It possesses the capability to run secondary payloads, allowing for the download and execution of additional malicious files or PowerShell scripts.
• 💰 With pricing structures similar to previous MaaS offerings, Amatera presents an accessible option for cybercriminals, potentially filling the void left by disrupted stealers like Lumma.

Recommendations for Defenders

• 🚨 Implement existing network signatures to detect Amatera's traffic and C2 communication.
• 🧠 User education is crucial, focusing on awareness of new social engineering tactics like ClickFix and the dangers of running unauthorized PowerShell scripts.
• 🔒 Restrict users from running unauthorized PowerShell and enforce defense-in-depth strategies to block subsequent actions if an unsafe user action occurs.
• ⚠️ Block unauthorized software downloads, especially those masquerading as legitimate applications like VPNs or PDF readers, and restrict downloads from unrecognized domains.