Listen to this Post

Introduction:
The Amatera Stealer, a formidable rebranding of the now-defunct ACR (AcridRain) Stealer, represents a new generation of Information Stealers distributed as a Malware-as-a-Service (MaaS). Active since early 2025 with its latest iteration reaching version 4.0.2 Beta, this C++-based malware employs advanced evasion techniques—from direct system calls (WoW64 Syscalls) to fileless execution—to harvest credentials, cookies, crypto-wallets, and more. This article dissects its sophisticated attack chain, provides detection methodologies, and details hardening strategies against this commodity threat.
Learning Objectives:
- Analyze the technical execution chain of Amatera Stealer, from the ClickFix social engineering lure to C2 exfiltration.
- Implement detection queries (KQL, Sigma) to hunt for registry key modifications (RunMRU) and LOLBin abuse (PowerShell, mshta.exe).
- Identify IOCs including specific PowerShell execution patterns, network indicators (NTSockets), and registry artifacts to mitigate and respond to infections.
You Should Know:
1. Inside the Multi-Stage Attack Chain
The infection begins with social engineering, often a fake CAPTCHA page prompting the user to press `Win + R` and paste a malicious command. This command, typically executed via `mshta.exe` or rundll32.exe, launches a heavily obfuscated PowerShell script that acts as a downloader. The script retrieves a `.NET` loader from a file-sharing service like MediaFire, which then injects the Amatera payload into a legitimate process, such as MSBuild.exe, achieving a fileless persistence.
Step‑by‑step guide explaining what this does and how to use it.
To detect this attack, security teams can monitor the Windows `RunMRU` registry key for suspicious entries. The following KQL query hunts for the `ClickFix` technique by correlating `RunMRU` value sets with subsequent `powershell` or `mshta` process executions occurring within a short time window:
// Detection Rule: Suspicious user-initiated execution via the Run dialog (Win + R)
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith "\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
and (RegistryValueData has "powershell" or RegistryValueData has "mshta")
and RegistryValueData !~ "mrulist"
and (RegistryValueData contains "http" or RegistryValueData contains "base64")
| project Process_Creation=Timestamp, DeviceName, InitiatingProcessAccountName, RegistryValueData
| join kind=inner (
DeviceProcessEvents
| where FileName in~ ("mshta.exe", "powershell.exe", "rundll32.exe")
) on DeviceName, InitiatingProcessAccountName
| where ProcessCreated between ((Process_Creation - timespan(5sec)) .. (Process_Creation + timespan(5sec)))
2. Command-Line Countermeasures and Forensics
Once the malicious PowerShell command is executed, it triggers a cascade of processes. Administrators can use the following commands for triage and containment on a potentially compromised Windows system. The malware uses legitimate Windows tools (Living-off-the-Land) for its operations, making behavioral analysis critical.
Step‑by‑step guide for triage and containment:
Immediate containment steps to isolate and investigate an infected system:
- Network Isolation: Disconnect the host from the network to prevent C2 data exfiltration.
Run as Administrator to disconnect all non-Microsoft network adapters
Get-NetAdapter | Where-Object {$<em>.Name -notlike "Virtual" -and $</em>.InterfaceDescription -notlike "Hyper-V"} | Disable-NetAdapter -Confirm:$false
- Process Analysis: Investigate running processes that are known injection targets for Amatera.
:: List processes with command lines, focusing on MSBuild, regsvr32, rundll32 wmic process where "name='msbuild.exe' or name='powershell.exe' or name='rundll32.exe'" get processid,commandline
- Persistence Check: Review scheduled tasks, run keys, and the startup folder for anomalies. Amatera may create scheduled tasks for persistence.
List scheduled tasks modified within the last 24 hours
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)} | fl TaskName, TaskPath, State
- Network Artifacts: Use `netstat` to identify outbound connections to known C2 ports over non-standard APIs (NTSockets). Note connections to IP addresses hosted on CDNs like Cloudflare that bypass typical DNS resolution.
3. Understanding the Anti-Analysis Bag of Tricks
Amatera version 4.0.2 is engineered to fly under the radar using several sophisticated techniques. It leverages direct `NTSockets` by interfacing with \Device\Afd\Endpoint, bypassing standard Windows networking APIs that EDRs typically hook. For API execution, it uses `WoW64 Syscalls` to dynamically resolve and invoke Windows APIs, effectively bypassing user-mode hooks placed by security products. Furthermore, the malware disables PowerShell logging, utilizes `Null-AMSI` to bypass the Antimalware Scan Interface, and employs process injection techniques like “Early Bird” to execute code before the main thread initializes.
Linux-Based Sandbox Detection Check: Analysts can create a simple Linux script to simulate basic sandbox environment checks that malware like Amatera might perform to evade analysis (e.g., checking for low RAM, specific CPU cores, or presence of debug processes).
!/bin/bash
Sandbox Detection Script for Linux Sandboxes
echo "[] Running Sandbox Environment Checks..."
total_ram=$(free -m | awk '/^Mem:/{print $2}')
echo "[] RAM Detected: ${total_ram}MB"
cpu_cores=$(nproc)
echo "[] CPU Cores Detected: ${cpu_cores}"
if [ $total_ram -lt 2048 ] && [ $cpu_cores -lt 2 ]; then
echo "[!] Sandbox environment likely detected (Low RAM/CPU). Exiting."
exit 1
else
echo "[] Environment passes initial checks. Continuing analysis."
fi
4. IOCs and Network Defense Evasion
Amatera Stealer communicates with its Command and Control (C2) servers using a JSON-based protocol over HTTP, with data exfiltration often Base64-encoded and XOR-encrypted. Recent versions are introducing HTTPS support to further obscure traffic. To evade IP-based blacklisting, the malware hardcodes C2 IP addresses that belong to legitimate Content Delivery Networks (CDNs) like Cloudflare and avoids performing DNS lookups, making its network traffic harder to distinguish from legitimate CDN traffic. Below are known indicators (IOCs) associated with Amatera Stealer campaigns.
Network IOCs:
- IP Address: `104.21.80.1` (Linked to Amatera C2 and domain
overplanteasiest[.]top) - Domain/URL: `amaprox[.]icu` (Used for Amatera infrastructure supporting HTTPS)
- UNC/WebDAV Path: `\\r2-gate-entry.terralibre.in.net@80\verification.google`
File IOCs (SHA256):
– `120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2` (Amatera Stealer binary using NTSockets)
– `eac58fda1a095e5db28e46bfec308b47f569db22fc47155821e4ff5d04025c51` (Obfuscated PowerShell Dropper)
5. Cloud and Endpoint Hardening Strategies
As Amatera targets a wide range of data including browser credentials, crypto-wallets, and email clients, organizations must adopt a layered defense. Hardening Windows endpoints is critical. This includes restricting PowerShell execution policies to `AllSigned` to prevent unsigned scripts from running and enabling detailed PowerShell logging (Module, Script Block, and Transcription logging) to capture malicious activity. Additionally, consider implementing Application Control via AppLocker or Windows Defender Application Control (WDAC) to block the execution of binaries like `mshta.exe` and `rundll32.exe` from untrusted locations.
Step‑by‑step guide for hardening Windows endpoints against infostealers:
- Enable Advanced PowerShell Logging via Group Policy (
gpedit.msc): Navigate toComputer Configuration → Administrative Templates → Windows Components → Windows PowerShell. Enable “Turn on PowerShell Script Block Logging” and “Turn on PowerShell Transcription”. - Configure Windows Defender Attack Surface Reduction (ASR) Rules: Use PowerShell to enable rules that block Office applications from creating child processes and block executable content from email client and webmail.
Enable ASR rules to block common LOLBin abuse by infostealers Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A, BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Set-MpPreference -AttackSurfaceReductionRules_Actions Enabled
- Deploy Network-Based Detection: Implement Network Detection and Response (NDR) rules to alert on outbound connections to IP addresses within known CDN ranges (e.g., Cloudflare) that are using non-standard ports or protocols, which could indicate C2 communication.
What Undercode Say:
- The “Fake CAPTCHA” is the new king of social engineering. The ClickFix technique used to distribute Amatera represents a paradigm shift from traditional malicious links. By tricking users into executing system-level commands (Win+R), attackers bypass browser-level security and web filters entirely. Security awareness training must evolve to warn users about this specific “verification” tactic.
- MaaS commoditization is fueling the infostealer epidemic. With pricing as low as $199/month, Amatera lowers the barrier for entry-level cybercriminals. The disruption of Lumma Stealer has created a vacuum that similar services like Amatera are actively trying to fill. This trend ensures that infostealers will remain a persistent and evolving threat for the foreseeable future, requiring continuous adaptation from defenders.
Prediction:
As MaaS platforms like Amatera continue to innovate in evasion, we will likely see a “feature race” between stealers. Future versions are anticipated to integrate AI-driven evasion modules, similar to what is being observed in other families like Xillen Stealer. This could involve dynamic code mutation that leverages large language models (LLMs) to generate unique, single-use payloads, effectively breaking static signature-based detection. Furthermore, we can expect deeper integration of secondary payloads, transitioning from data theft to full-scale ransomware deployment, making infostealers a preferred entry point for more devastating attacks. Consequently, the security industry must shift focus from purely preventative controls to robust detection and rapid response capabilities, with an emphasis on user behavioral analytics and endpoint visibility.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


