Full Report
Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix-style fake CAPTCHAs with a signed Microsoft Application Virtualization (App-V) script to distribute an information stealer called Amatera. "Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths,"
Analysis Summary
# Tool/Technique: Amatera Stealer via ClickFix/App-V Chain
## Overview
This describes a novel cyber campaign that leverages ClickFix-style fake CAPTCHAs to initiate execution, which then abuses a signed Microsoft Application Virtualization (App-V) script (`SyncAppvPublishingServer.vbs`) to proxy the loading and execution of the Amatera information stealer in memory. The primary goal is to evade detection by avoiding direct PowerShell execution and using a trusted, signed Microsoft binary for initial execution.
## Technical Details
- Type: Malware family (Amatera), Technique (Living off the Land/Proxy execution)
- Platform: Windows (specifically targeting Enterprise/Education editions or systems with App-V installed)
- Capabilities: Information Stealing, Evasion via trusted binaries, Staged in-memory execution, Configuration retrieval from external trusted sources.
- First Seen: The specific chain involving App-V abuse in ClickFix attacks is newly reported, though the individual components and actors (DarkHotel, BlueNoroff) have used App-V abuse previously.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1216 - Signed Binary Proxy Execution
- T1216.002 - System Binary Proxy Execution: Application Virtualization
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- T1059.005 - Visual Basic
- **TA0011 - Command and Control**
- T1102 - Web Service
- T1102.001 - Web Service: Dead Drop Resolver
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Implied, required by stealers)
## Functionality
### Core Capabilities
- **Initial Access Bypass:** Uses a fake CAPTCHA prompt to trick the user into pasting and executing a command in the Windows Run dialog.
- **Execution Proxying:** The initial command executes `wscript.exe` to abuse the signed App-V script, `SyncAppvPublishingServer.vbs`, to retrieve and execute another component in memory.
- **Evasion:** Bypasses PowerShell execution restrictions and defensive measures by leveraging **Living Off The Land (LotL)** through a trusted, signed Microsoft component.
### Advanced Features
- **Configuration Obfuscation (Dead Drop):** Fetches configuration data (including subsequent stages) from a public Google Calendar (ICS file), acting as a trusted third-party dead drop to allow dynamic infrastructure rotation.
- **Multi-Stage In-Memory Loading:** Utilizes several intermediate PowerShell scripts loaded directly into memory (`IEX`) to avoid writing secondary stages to disk.
- **Data Exfiltration Vector:** The final payload (Amatera Stealer) is retrieved after downloading a heavily encrypted/compressed PowerShell script concealed within a PNG image file downloaded via WinINet APIs from compromised domains.
- **Anti-Sandbox Checks:** The obfuscated loader performs checks to ensure it is not executing within a sandboxed or automated analysis environment.
## Indicators of Compromise
- File Hashes: (Not explicitly provided in the text)
- File Names: `SyncAppvPublishingServer.vbs` (Abused LOLBin)
- Registry Keys: (Not explicitly provided in the text)
- Network Indicators:
- Retrieval domains: `gcdnb.pbrd[.]co`, `iili[.]io` (Defanged)
- Configuration source: Google Calendar (ICS file)
- Behavioral Indicators:
- Execution chain involving `wscript.exe` launching `SyncAppvPublishingServer.vbs`.
- Use of WinINet APIs for network communication during later stages.
- Suspicious use of `Invoke-Expression` on a script decrypted and decompressed in memory.
## Associated Threat Actors
- This *specific* chain (ClickFix + App-V abuse) is attributed to a current campaign detailed by Blackpoint researchers.
- Earlier observed abuse of `SyncAppvPublishingServer.vbs` involved: **DarkHotel** and **BlueNoroff (APT)**.
## Detection Methods
- **Signature-based detection:** Signatures targeting the final Amatera Stealer payload.
- **Behavioral detection:** Monitoring for the execution of `SyncAppvPublishingServer.vbs` initiated via unconventional means (like the observed command line structure). Detecting process injection or memory manipulation following script execution.
- **YARA rules:** (Not provided in the text)
## Mitigation Strategies
- **Application Control/Whitelisting:** Restricting execution paths for LotL binaries like `SyncAppvPublishingServer.vbs` if possible, though this is difficult for core OS components.
- **Principle of Least Functionality:** Ensure App-V is only present or enabled where required, as the attack relies on its existence (meaning it primarily targets Enterprise/Education editions).
- **PowerShell Restriction:** Implementing PowerShell logging and Constrained Language Mode to detect or block suspicious script block executions, even when proxied.
- **Network Monitoring:** Monitoring access to external remote services (like Google Calendar) for configuration retrieval during initial execution phases.
## Related Tools/Techniques
- **Amatera Stealer:** The final payload malware family.
- **ClickFix:** The initial vector involving fake CAPTCHAs.
- **LOLBINS:** General technique utilizing signed binaries (`SyncAppvPublishingServer.vbs`).
- **Dead Drop Resolvers:** Technique using trusted third-party services (Google Calendar) for C2/configuration.