Podcasts
Research Saturday
Ep 384
Research Saturday 7.12.25
Ep 384 | 7.12.25

Click here to steal.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello everyone and welcome to the "Cyberwire's Research Saturday". I'm Dave Bittner. And this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

 

Selena Larson: One of the main, initial access vectors that we have been very closely tracking are web injects. Which of course, are injects on legitimate but compromised websites that have been observed delivering a variety of different malware. Many of those payloads do tend to be information stealers. And so, in this case, we were able to see a malware that became known as Amatera Stealer, or that's what we later identified it as, being delivered via web injects.

 

Dave Bittner: That's Selena Larson, Threat Researcher and lead for intelligence analysis and strategy at Proofpoint. The research we're discussing today is titled, "Amatera Stealer- Rebranded ACR Stealer with improved evasion and sophistication." [ Music ]

 

Selena Larson: We also saw a number of samples in opensource, so you got VirusTotal. Some of our colleagues at other research teams also observed it in other attack chains. But what's really interesting to me is, the fact that the stealer landscape right now is so dynamic. And this particular stealer is basically, a rebranded stealer known as ACR Stealer. But it's got a lot of updates to it. And I think that one of the most important things from a cyber criminal perspective, especially now in the landscape, are taking a look at information stealers. Taking a look at this landscape. Trying to figure out, you know, what are threat actors using? How are they, you know, developing workarounds for defense? What are the different delivery mechanisms that we're seeing a lot of? Because, you know, as we've talked about previously on various podcasts, Dave, the information stealer landscape right now is booming. And that's where, you know, it's a very, very serious threat. And so, so yeah. So, this was an interesting sort of little deep dive that we were able to see about this pretty interesting information stealer.

 

Dave Bittner: So, you mentioned ACR Stealer. What set Amatera Stealer apart that, that it's not just a variant of ACR, that is it's own, it's own unique thing?

 

Selena Larson: Yeah. So, there are significant portions of code overlap that exist with ACR Stealer analysis in the public. And so that's kind of where like, oh is this just you know, updated ACR? But it's really featured a full rebrand. So, Amatera Stealer is actually sold as a malware, as a service. Which is what we see from a lot of these very prominent information stealers. Lumma, for example, was pretty much the most popular malware-as-a-service, in terms of the information stealer ecosystem. And then it got disrupted. And so, that's also, we can you know, talk about that as part of this conversation too. But that's, you know, why we're kind of keeping an eye on how the info stealer landscape is moving. But what we did find, was this particular malware had a bunch of new interesting anti-analysis features. There was some improved sophistication of the malware. The command and control operates a lot differently. The actual, where you can purchase it or manage it from, you know, the panel. We were able to get eyes on a panel. It's called Amatera Stealer. So, you know, you can actually see like, the payment structure and the tier structure. And what was interesting, is that back in July of 2024, the ACR support channel, which is of course on Telegram, as many of these things are. Basically, they said, you know we're not going to sell ACR Stealer anymore. You know, we're closed for an indefinite period. But you know, there will be no problems. We do not say goodbye. This was of course, all in Russian. But we included a machine translated version of that message. But so they said okay, this is not goodbye. And so then, come around December, towards the end of last year, this new ACR, new ACR, Amatera Stealer sort of popped up. And the panel began surfacing. And so, we were able to kind of see some of those overlaps in terms of the timeline of the stealer, and sort of the rebrand with a bunch of new features.

 

Dave Bittner: I see. So, your belief is that this is the same group who created ACR Stealer. This is an updated version.

 

Selena Larson: Mhmm. Mhmm.

 

Dave Bittner: Okay.

 

Selena Larson: Yeah. Yeah.

 

Dave Bittner: Got it. So, you, the research talks about how Amatera is distributed via ClearFake campaigns. And also, these ClickFix techniques. For anyone in our audience who might not be familiar with ClickFix, can you give us a quick description of how that works?

 

Selena Larson: Yeah. Of course. And I do, you know, I have to say, I recognize that it's very tough to keep a full understanding of the threat landscape. We're saying things like ClearFake and ClickFix, and you know, we talk about this technique called etherhiding, and all these things. And certainly, ClearFake is just one of many types of web inject campaigns. So, you know, I just want to say that if you're not, if you're wondering what is ClearFake? I've never heard of this before. You know what, that is totally fine. Because...

 

Dave Bittner: Don't let your imposter syndrome kick in, because it's not you.

 

Selena Larson: No, it's the landscape. It's so crazy right now. Like the amount of web inject campaigns that we're seeing, many of which use the ClickFix technique, which I'll describe in just a second.

 

Dave Bittner: Yeah.

 

Selena Larson: So, there's so many out there. So, so yeah. So, ClickFix is actually a really interesting social engineering technique. Whereby threat actors will, either through web injects or you know, direct URLs, or in some way essentially show you this dialogue that says, you need to update for security purposes. Or oh, you need to solve this captcha, in order to actually access this content. And what that basically does, is it tricks into copying, pasting, and running PowerShell on their own host. So, what we saw for example, with this ClearFake campaign, and again ClearFake is a type of web inject campaign, that when they go to a website that's compromised by ClearFake injects, they were presented with this fake captcha. So it says, complete these verification steps to prove you're not a robot. And then the instructions that it actually gives you are numbered, 1, 2, and 3. One is press and hold the Windows key plus R. And then in the verification window, press control V, and then press enter. So, it's literally the step by step, you know this is, this is how to do this. But ultimately, what it is, is you're running a ClickFix PowerShell command. So, it's ClickFix, the technique is this click to fix. Basically, copying, pasting and running PowerShell. And this is something that we've seen from just tons of actors. It's completely overtaken the landscape.

 

Dave Bittner: Yeah. I mean, it really seems like it is the flavor of the month right now, right.

 

Selena Larson: Oh, absolutely. Yeah. And we've, I mean, we've even see it with espionage threat actors, using this sort of ClickFix technique. We see a lot of different sort of styles of the ClickFix technique. We see it with just of course, you know, update your Chrome browser. Of course we see it with that. We see the captcha, prove you're not a robot. But we've even seen it with like, very specific and customized software. That you know, a specific target might be using for transportation and logistics, for instance. And it'll be like, oh you have to update this very specific software. So, threat actors are taking this idea of the ClickFix technique to you know, copy, paste and run PowerShell on a host. And just you know, making it unique for whatever their purposes are. And I think that that is one interesting part of this whole story actually, is this ClickFix technique, just one exploding all across the landscape. Where you have these web inject threat actors like ClearFake, LandUpdate. You know, a lot of the other threat actors that were trying CPHP. A lot of these different clusters are using these sort of like fake web inject style things, compared with ClickFix. We see it with email threat actors as well, distributing URLs in ClickFix. It's just everywhere. It's like that meme. I'ts like ClickFix, ClickFix everywhere. [ Laughter ] It's you used to see it, the Toy Story meme. It's like, it's everywhere.

 

Dave Bittner: Right. Right. Which we assume means that they're seeing great success with it.

 

Selena Larson: That is how I am interpreting this. I mean, yeah. The thing is, is typically when you see an explosion of a technique proliferate like this across the landscape, it tends to be very effective. I mean, you know, we're not going to see all of these actors using the same technique if it's not working. Which is what actually kind of, you know, it kind of freaks me out. And they're well-designed [inaudible 00:09:19] too. Like I have to say, like they're very like, it's a believable captcha. If you don't really know, you know, the steps that you're taking or whatever, it is pretty believable.

 

Dave Bittner: So, earlier in our conversation you eluded to this technique called etherhiding. Can you unpack that one for us?

 

Selena Larson: So, etherhiding is kind of interesting. Basically, it uses something called the Binance Smart Contract. That has this JavaScript is stored in that smart contract. And then that is what will kind of generate the captcha and malicious command on the actual host. And what the actor can do, is like modify the Smart Contract, instead of like the inject itself, basically. And it kind of has like, it's kind of complicated.

 

Dave Bittner: Yeah.

 

Selena Larson: And it's really just like, the ClearFake cluster is one of the only ones that is, that we see regularly kind of adopting this etherhiding technique. But yeah, but it's essentially using the blockchain to store this command, in a way that's, they can you know, update that when they need to. And then often times, they might just leave it, and not modify it at all. So, so it's kind of, yeah, it's basically, you can block the domain on which the script is actually hosted. Which is like the actual Smart Contract. And that is kind of what the threat actor is using. As opposed to, you know, injecting the JavaScript directly on the website, for example. There's a lot of different, a lot of different techniques that web inject threat actors use. And etherhiding is one of them that we see with ClearFake. [ Music ] >> We'll be right back. [ Music ]

 

Dave Bittner: So, what are Amatera's goals once it land son a victim's machine? What sort of data is it looking to steal?

 

Selena Larson: Yeah. So, as you might imagine, stealers nowadays just have a lot of different capabilities. Of course, you know they're going after passwords, they're going after crypto wallets, stealing files on disks. Browser cookies, web forms, things like that. And then, of course, you have Amatera Stealer that is also capable of running secondary payloads. So, it could potentially download and execute files like executables. Or you can download and execute PowerShelll. So, it has both the stealing functionality, as well as the ability to run file on payloads.

 

Dave Bittner: Is the malware's configuration static or does it have the ability to dynamically adapt?

 

Selena Larson: So, what's actually interesting is it used to use command and control using Steam or Telegram dead drops, which we see a lot of times with various stealers. We actually covered it before in one of our blog posts with Vidar Stealer, for example. Or they will regularly use Steam or Telegram for command and control. But in this case, they actually started using NTSockets for command and control. And so, this kind of increases the stealthiness of the C2 communication. So, the way that the command and control is set up, it kind of bypasses commonly used Windows networking APIs. Which a lot of times your endpoint detection analysis tool will rely on for visibility into the HTTP request. Another thing that's kind of interesting, in terms of the malware capability, is not using DNS. SO, it will use C2 via IP address. And the IP address in the cases that we were looking at was not owned by a threat actor, but was used, using a CDN endpoint address. In this case, it was Cloudflare. So, so yeah. So, it has a little bit of interesting C2 communications that make it a little bit tricky. So, for example, if they're using an IP address that's associated to a public CDN like Cloudflare, security operations might be reluctant to just block the IP address by default, right. It's not like you can just block a C2 domain that we often see using like malware, command and control for malware. But you know, with an IP that belongs to this like, public CDN, that's probably used by a lot of different things. It might be like, okay, you know we might not block this because it could be use by legitimate websites that are also using CDN. In addition to that, not using a domain name or DNS through for C2 also means that it can't be blocked or alerted on through DNS monitoring. So, there's no DNS lookup for the domain name. So, so there's some of these other sort of like C2 functionalities that are trying to evade detection, in a way that previous examples of similar malware you don't necessarily see.

 

Dave Bittner: Well, we mentioned Lumma Stealer earlier. When we're looking at the landscape here, Lumma Stealer was disrupted. Do we think that Amatera is stepping in to fill that gap?

 

Selena Larson: So, I feel like it's a little bit early to say yes or no. But I do want to point out, in terms of the actual pricing structure with Amatera, and how because these MaaS, which is such a funny word, malware-as-a-service, MaaS offering. The way that they work, right, is that you pay to be able to access and use the information stealer, and those very similar. And it's actually like not too expensive. So, you know, for 3 months for 500 bucks or like a full year for 1,500 bucks, like this is what the pricing information for the publicly accessible panel we were able to see. And so, you know, I think that first of all, having a MaaS offering can sometimes lower the barrier to entry for a lot of cyber criminals. But also, it does sort of enter the scene at this moment where people might be leaving Lumma Stealer for a variety of reasons. Lumma isn't fully eradicated, right. Like it was, a lot of the infrastructure was disrupted. It was obviously a big win for law enforcement and private sector. But we're still seeing some Lumma activity even after the takedown. Certainly not what it was. But what's great about a lot of these disruptions, in addition to actually disrupting infrastructure, doing takedowns, all of that stuff, is it really makes it so that the criminal who's operating this, doesn't have the same sort of trust, and brand recognition, and like authority in the marketplace, right. And so, what you often see is when these things happen, is you'll have the criminals who are using whatever malware is, go to greener pastures, so to speak. You know, maybe malware that isn't quite so under the microscope. Maybe they try and build their own thing. Maybe they stop doing crime. Which is the ideal outcome.

 

Dave Bittner: Yeah. What an adorable thought.

 

Selena Larson: I know. In a perfect world. If you're, if like a criminal is doing crime, and then the tool that they're using gets like, it's like busted and targeted by law enforcement. Like, imagine if they decide to change their behavior.

 

Dave Bittner: Yes. The time for me to step back and rethink my life.

 

Selena Larson: Right. Yeah. Like okay, maybe I can go in a different direction here.

 

Dave Bittner: Yeah.

 

Selena Larson: So, so yeah. So, I think, you know, the market is now, I think, a little bit more open for some of these people. Who are like, okay, do I not trust Lumma Stealer anymore? Because it was a target of law enforcement disruption. Should I be spending money elsewhere? And you know, if I was a malware author marketing my, you know, malware-as-a-service, I'd be like hey, I'm not that guy.

 

Dave Bittner: Right. Right.

 

Selena Larson: Yeah. Like I don't have, you know, law enforcement breathing down my neck with all of these you know, big blogs and reporting coming out about how I operate. And all these things that have been taken down and you know, made my life a little bit challenging. So, so yeah. I think it is an opportunity for cyber criminals to find, okay, what's next. But that's why it's so important to really be sort of monitoring on top of the information stealer landscape. Because certainly Lumma was big and popular, but it's not the only one. You know, and certainly, what we're seeing, certainly with Amatera Stealer, for example, it's under active development. So, you know, we're seeing them continuously modifying, updating, making changes to this malware to make it from their perspective, better, more effective, more useful for the cyber criminal operators. And of course, you know, we wrote a bunch of dissections for it. We have coverage for it, published some rules associated with it. But it's, you know, it's very important to sort of stay on top of these things because they are under active development. And at any point, something like the Lumma disruption could happen and everyone flocks to something else, so.

 

Dave Bittner: Right.

 

Selena Larson: I do think it's still too early to say for sure. like this is definitely replacing Lumma Stealer. But you know, having other options on the market, and making sure that we have detections and defense against it is super important.

 

Dave Bittner: So, what's your recommendation then, for defenders? How should a security team go about protecting themselves against this?

 

Selena Larson: Yeah. So, first of all, update. Make sure you have existing network signatures that will detect this traffic. And the command and control, [inaudible 00:19:03], the traffic, things like that. There are rules that we published that are associated with this. One thing that I really, really want to make sure to hammer home, is that people are aware and incorporate ClickFix technique into their existing security training. Making sure that people are aware of the new types of social engineering and techniques that are being used by threat actors is very, very important. Also, restricting your average user from running unauthorized PowerShell is really important here. Because like, literally, copy pasting, running PowerShell is like they're infecting themselves. And making it so that end users can't do that, is something that is very important. And yeah, I think those are kind of the two main things, is to make sure that you're aware that this is happening, and doing, you know, practicing defence in depth. And making it so that users you know, running PowerShell. There are other ways that we've seen, Amatera delivered as well, so. You know, things like SEO poisoning, fake software downloads, things like that. So that's also very, very important. Restricting downloads from unknown domains, unrecognized domains really you know, block traffic, especially for, from like newer, just registered domains. Things like that are impersonating Enterprise software, for example. And also not downloading unauthorized software. So, often times you'll see a lot of information stealers will be masquerading as, for example, a VPN app or a PDF reader, or a document reader, things like that. And so, you know, making, restricting those, the downloads from those types of tooling and only authorized, you know like making sure if you need something, like a PDF reader, go to your IT department and ask for that, is I think, important, important to note here as well. So, user education, I think is really important and really big, but also making sure that you as an organization have defence in depth. And if a user does take an unsafe action, then they're blocked from the subsequent actions that you're having as a result of that activity. [ Music ]

 

Dave Bittner: Our thanks to Selena Larson from Proofpoint for joining us. The research is titled, "Amatera Stealer - Rebranded ACR Stealer with Improved Evasion and Sophistication". We'll have a link in the show notes. And that's Research Saturday, brought to you by N2K Cyberwire. We'd love to hear from you. We are conducting our annual survey to learn more about our listeners. We're collecting your insights through the end of this summer. There is a link in the show notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Eiben, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.