Amatera Stealer: A Rebranded Malware with Advanced Evasion Techniques

Amatera Stealer: A New Threat in the Malware Landscape

• 💡 Amatera Stealer is a rebranded and actively developed malware-as-a-service (MaaS) variant of the former ACR Stealer.
• 🎯 It features advanced evasion techniques, including NTSockets for stealthy C2 communication and WoW64 Syscalls to bypass user-mode defenses.
• 🚀 Distributed via ClearFake web injects and the ClickFix technique, Amatera utilizes multilayered PowerShell loaders and blockchain-based hosting.

Evolving Distribution and Evasion Tactics

• 🔍 The ClickFix technique tricks users into copying and running PowerShell commands by presenting fake security updates or CAPTCHAs.
• 💬 This technique has become widespread, with threat actors adapting it for various social engineering schemes, including impersonating software updates.
• ⛓️ Ether hiding, a technique used by the ClearFake cluster, leverages Binance Smart Contracts to store and generate malicious commands, making them harder to block.

Amatera's Capabilities and Command & Control

• 💰 Amatera Stealer is designed to steal sensitive information such as passwords, crypto wallets, browser data, and files.
• ⚡ It also possesses the capability to download and execute secondary payloads, including executables and PowerShell scripts.
• 🌐 Command and control (C2) communication has evolved from traditional methods like Telegram dead drops to using NTSockets, bypassing common Windows networking APIs and avoiding DNS lookups by communicating via IP addresses, often leveraging CDN endpoints like Cloudflare.

The Shifting Information Stealer Market

• 📉 The disruption of popular stealers like Lumma Stealer has created an opportunity for new MaaS offerings like Amatera.
• 📈 Amatera's pricing structure, with options for 3 months for $500 or a full year for $1,500, lowers the barrier to entry for cybercriminals.
• ⚠️ The active development and continuous modification of Amatera highlight the dynamic nature of the information stealer landscape.

Recommendations for Defenders

• 🛡️ Implement existing network signatures to detect Amatera's traffic and C2 communication.
• 🎓 Incorporate awareness of the ClickFix technique into security training to educate users about new social engineering tactics.
• 🚫 Restrict unauthorized PowerShell execution and downloads from unknown or unrecognized domains to prevent self-infection.
• 🧱 Employ defense-in-depth strategies to block subsequent malicious actions if a user inadvertently takes an unsafe step.