CyberWire Daily - Click here to steal. [Research Saturday]
Episode Date: July 12, 2025Today we are joined by Selena Larson, Threat Researcher at Proofpoint, and co-host of Only Malware in the Building, as she discusses their work on "Amatera Stealer - Rebranded ACR St...ealer With Improved Evasion, Sophistication." Proofpoint researchers have identified Amatera Stealer, a rebranded and actively developed malware-as-a-service (MaaS) variant of the former ACR Stealer, featuring advanced evasion techniques like NTSockets for stealthy C2 communication and WoW64 Syscalls to bypass user-mode defenses. Distributed via ClearFake web injects and the ClickFix technique, Amatera leverages multilayered PowerShell loaders, blockchain-based hosting, and creative social engineering to compromise victims. With enhanced capabilities to steal browser data, crypto wallets, and other sensitive files, Amatera poses a growing threat in the wake of disruptions to competing stealers like Lumma. Complete our annual audience survey before August 31. The research can be found here: Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
One of the main initial access vectors
that we have been very closely tracking are web injects,
which of course are injects on legitimate
but compromised websites that have been observed delivering a variety of different malware.
Many of those payloads do tend to be information stealers.
And so in this case, we were able to see a malware that became known as Amatera Stealer,
or that's what we later identified it as, being delivered via web injects.
That's Celina Larson, threat researcher
and lead for intelligence analysis
and strategy at Proofpoint.
The research we're discussing today is titled
Amatera Steeler, rebranded ACR Steeler
with improved evasion and sophistication.
improved evasion and sophistication. We also saw a number of samples in open source, like on VirusTotal.
Some of our colleagues at other research teams also observed it in other tech chains.
But what's really interesting to me is the fact that the stealer landscape right
now is so dynamic.
And this particular stealer is basically a rebranded stealer known as ACR Stealer, but
it's got a lot of updates to it.
And I think that one of the most important things from a cyber criminal perspective,
especially now in the landscape are taking a look at information stealers, taking a look
at this landscape, trying to figure out, you know, what are threat actors using?
How are they, you know, developing workarounds for defense?
What are the different delivery mechanisms that we're seeing a lot of?
Because, you know, as we've talked about previously on various podcasts, Dave, the information
stealer landscape right now is booming and that's where, you know, it's a very, very
serious threat.
And so, yeah, so this was an interesting sort of little deep dive that we were able to see
about this pretty interesting information stealer.
So you mentioned ACR stealer.
What set Amatera Stealer apart that it's not just a variant of ACR, that it is its own
unique thing?
Yeah.
So, there are significant portions of code overlap that exist with ACR Steeler analysis
in the public.
And so, that's kind of where we're like, oh, is this just updated or ACR?
But it's really featured a full rebrand.
So, Amatera Steeler is actually sold as a malware
as a service, which is what we see from a lot
of these very prominent information stealers.
Luma, for example, was pretty much the most popular
malware as a service in terms of the information
stealer ecosystem, and then it got disrupted.
And so, that's also, we can talk about that
as part of this conversation too, but that's why we're kind of keeping an eye on how the InfoStealer landscape is moving.
But what we did find was this particular malware had a bunch of new,
interesting anti-analysis features.
There was some improved sophistication of the malware,
the command and control operates a lot differently. The actual, where you can purchase it or manage it from,
you know, the panel, we were able to get eyes on a panel.
It's called the Amateras dealer.
So, you know, you can actually see like the payment
structure and the tier structure.
And what was interesting is that back in July of 2024,
the ACR support channel, which is of course
on Telegram as many of these things are, basically they said, you know, we're not going to sell
ACR Steeler anymore. You know, we're closed for an indefinite period, but you know, there
will be no problems. We do not say goodbye. This is of course all in Russian, but we included
a machine translated version of that message.
So, I said, okay, this is not goodbye.
And so then, around December, towards the end of last year, this new ACR, Amatera Steeler,
sort of popped up and the panel began surfacing.
And so, we were able to kind of see some of those overlaps in terms of the timeline of
the Steeler and sort of the rebrand with a bunch of new features.
I see. So your belief is that this is the same group who created ACR Steeler. This is an updated version.
Mm-hmm. Mm-hmm. Yeah.
So the research talks about how Amatera is distributed via clearfake campaigns and also these click-fix
techniques.
For anyone in our audience who might not be familiar with click-fix, can you give us a
quick description of how that works?
Yeah, of course.
And I do, you know, I have to say, I recognize that it's very tough to keep a full understanding
of the threat
landscape. We're saying things like clear fake and click fix and you know we talk
about this technique called ether hiding and all these things and certainly
clear fake is just one of many types of web and check campaigns so you know I
just want to say that if you're not if you're wondering what is clear fake I've
never heard of this before you know what what? That is totally fine because.
Don't let your imposter syndrome kick in
because it's not you.
No, it's the landscape.
It's so crazy right now.
Like the amount of web inject campaigns that we're seeing,
many of which use the ClickFix technique,
which I'll describe in just a second.
So there's so many out there.
So yeah, so ClickFix is actually a really interesting social engineering technique
whereby threat actors will either through web injects or direct URLs or in some way
essentially show you this dialogue that says you need to update for security purposes or
that says you need to update for security purposes, or you need to solve this CAPTCHA
in order to actually access this content.
And what that basically does is it tricks into copying,
pasting, and running PowerShell on their own host.
So what we saw, for example, with this ClearFake campaign,
and again, ClearFake is a type of web inject campaign,
that when they go to a website that's compromised by ClearFake injects, they were presented with this fake capture.
So it says, complete these verification steps to prove you're not a robot.
And then the instructions that it actually gives you are numbered one, two, and three.
One is press and hold the Windows key plus R,
then in the verification window press
Ctrl V and then press Enter.
So it's literally the step-by-step,
this is how to do this.
But ultimately what it is,
is you're running a click-fix PowerShell command.
So it's click-fix,
the technique is this click to fix, basically copying,
pasting, and running PowerShell. And this is something that we've seen from just
tons of actors. It's completely overtaking the landscape.
Yeah. I mean, it really seems like it is the flavor of the month right now, right?
Oh, absolutely. Yeah. And we've even seen it with espionage threat actors using this sort of click-fix technique.
We see a lot of different sort of styles of the click-fix technique.
We see it with just, of course,
update your Chrome browser.
Of course, we see it with that. We see the Captcha prove you're not a robot.
But we've even seen it with very specific and customized software that
a specific target might be using for transportation logistics, for instance, and it'll be like,
oh, you have to update this very specific software.
So threat actors are taking this idea of the click-fix
technique to copy, paste, and run PowerShell on a host,
and just making it unique for whatever their purposes are.
And I think that that is one interesting part of
this whole story actually is this click
fix technique, just one exploding all across the landscape, where you have these web inject
thread actors like ClearFake, Land Update, a lot of the other thread actors that were
trying to see PHP.
A lot of these different clusters are using these sort of fake web inject style things
compared with click fix.
We see it with email directors as well,
distributing URLs in ClickFix.
It's just everywhere.
It's like that meme, it's like ClickFix,
ClickFix everywhere.
Like you see at the Toy Story meme,
it's like it's everywhere.
Right, right.
Which we assume means that they're seeing
great success with it.
That is how I am interpreting this.
I mean, yeah, the thing is, is typically when you see an explosion of a technique proliferate
like this across the landscape, it tends to be very effective.
I mean, you know, we're not going to see all of these actors using the same technique if
it's not working, which is what actually kind of, you know, it kind of freaks me out.
And they're well designed whores too.
Like I have to say,, they're very like,
it's a believable capture if you don't really know
the steps that you're taking or whatever.
It is pretty believable.
So earlier in our conversation,
you alluded to this technique called ether hiding.
Can you unpack that one for us?
So ether hiding is kind of interesting.
Basically, it uses something called a Binance Smart Contract
that has this JavaScript is stored in that smart contract.
And then that is what will kind of generate the capture
and malicious command on the actual host.
And what the actor can do is like modify the smart contract
instead of like the inject itself basically.
And it kind of has like, it's kind of complicated.
And it's really just like the Clearflake cluster is one of the only ones that we see regularly
kind of adopting this ether hiding technique. But yeah, but it's essentially using the blockchain to store
this command in a way that they can update that when they need to.
Then oftentimes they might just leave it and not modify it at all.
it and not modify it at all. So it's kind of, yeah, it's basically, you can block the domain on which the script is actually hosted, which is like the actual smart contract. And that
is kind of what the thread actor is using, as opposed to injecting the JavaScript directly
on the website, for example. There's a lot of different techniques that web and Jax thread actors use.
And ether hiding is one of them
that we see with ClearFake.
We'll be right back.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots,
and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture
while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and
third-party risk, and even customer trust, so you're not buried under spreadsheets
and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are
129% more productive. It's a pretty impressive number. So what does it mean
for you? It means you get back more time and energy to focus on what actually
matters, like strengthening your security posture and scaling your business. Vanta,
GRC, just imagine how much easier trust can be. Visit vanta.com slash
cyber to sign up today for a free demo. That's vanta.com slash cyber.
CSOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every
machine identity, certificates, secrets, and workloads
across all environments, all clouds, and all AI agents. Designed for scale, automation,
and quantum readiness, CyberArk helps modern enterprises secure their machine future.
Visit cyberark.com machines to see how.
So what are Amateras goals once it lands on a victim's machine? What sort of data is it looking to steal?
Yeah, so as you might imagine, stealers nowadays just have a lot of different capabilities.
Of course, they're going after passwords,
they're going after crypto wallets,
stealing files on disks,
browser cookies, web forms, things like that.
Then of course, you have
Amateras Stealer that is also capable of running secondary payloads.
So it could potentially download and execute files like executables,
or you can download and execute PowerShell.
So it has both the stealing functionality as well
as the ability to run file-on payloads.
Is the malware's configuration static or does it have the ability to dynamically adapt?
So what's actually interesting is it used to use command and control
using Steam or Telegram dead drops which we see on a lot of times with various
Steelers. We actually covered it before in one of our blog posts with VDAR
Steeler for example where they will regularly use Steam or Telegram for
command and control. But in this case, they actually
started using NT sockets for command and control.
So this increases the stealthiness of the C2 communication.
So the way that the command and control is set up,
it bypasses commonly used Windows networking APIs,
which a lot of times your endpoint detection analysis tool
will rely on for visibility into the HTTP requests.
Another thing that's interesting in terms of
the malware capability is not using DNS.
It will use C2 via IP address,
and the IP address in the cases that we were looking at was not owned
by ThreatActor but was using a CDN endpoint address.
In this case, it was CloudFlare.
So yeah, so it has a little bit of interesting C2 communications that make it a little bit
tricky.
So for example, if they're using an IP address that's associated to a public CDN like Cloudflare,
security operations might be reluctant to just block the IP address by default, right?
It's not like you can just block a C2 domain that we often see using like malware, command
and control for malware.
But with an IP that belongs to this public CDN that's probably used by a lot of different
things, it might be like, okay, we might not block this because it could be used by
legitimate websites that are also using CDN.
An addition to that,
not using a domain name or DNS for C2 also means that it
can't be blocked or alerted on through DNS monitoring.
There's no DNS lookup for the domain name.
There's some of these other C2 functionalities that are trying to evade detection in a way that previous examples of similar malware you don't necessarily see.
looking at the landscape here, Loomis dealer was disrupted. Do we think that Amatera is stepping in to fill that gap? So I feel like it's a little bit early
to say yes or no, but I do want to point out in terms of the actual pricing
structure with Amatera and how because of these mass, which is such a funny word,
malware as a service, mass offering.
The way that they work right is that you pay to be able to access and use the information
stealer and it was very similar.
And it's actually not too expensive.
So for three months for 500 bucks or like a full year for 1500 bucks, like this is what
the pricing information for
the publicly accessible panel we were able to see.
And so I think that, first of all,
having a mass offering can sometimes
lower the barrier to entry for a lot of cyber criminals.
But also it does enter the scene at
this moment where people might be leaving
Luma Steelers for a variety of reasons.
Luma isn't fully eradicated.
A lot of the infrastructure was disrupted.
It was obviously a big win for law enforcement and private sector.
But we're still seeing some Luma activity even after the take-down,
certainly not what it was.
But what's great about a lot of these disruptions,
in addition to actually disrupting infrastructure,
doing takedowns, all of that stuff,
is it really makes it so that the criminal who's operating this,
doesn't have the same sort of trust and
brand recognition and authority in the marketplace,
right? And so what you often see is when these things happen is you'll have the criminals
who are using whatever malware is go to greener pastures, so to speak. You know, maybe malware
that isn't quite so under the microscope, maybe they try and build their own thing.
Maybe they stop doing crime, which is the ideal outcome.
Yeah. What an adorable thought.
I know. In a perfect world, if you're like a criminal is doing crime
and then the tool that they're using gets like it's like busted and targeted by law enforcement.
Like imagine if they decide to change their behavior and just leave the game.
Yes, time for me to step back and rethink my life.
Right. Yeah. Like, oh, okay. Maybe I can go in a different direction here.
Yeah.
So, yeah. So I think the market is now, I think, a little bit more open for some of
these people who are like, okay, do I not trust Loomis-Steeler anymore because it was
a target of law enforcement disruption? Should I be spending money elsewhere? And if I was a malware author marketing my
malware as a service, I'd be like, hey, I'm not that guy.
Right, right.
Yeah, I don't have law enforcement breathing down my neck with all of these big blogs and
reporting coming out about how I operate and all these things that have
been taken down and made my life a little bit challenging.
So yeah, I think it is an opportunity for cybercriminals to find, okay, what's next?
But that's why it's so important to really be sort of monitoring on top of the information
stealer landscape because certainly Luma was big and popular, but it's not the only one.
And certainly what we're seeing,
certainly with Amaterasu, for example,
is it's under active development.
So, you know, we're seeing them continuously modifying,
updating, making changes to this malware
to make it from their perspective, better,
more effective, more useful for the cyber criminal operators.
And of course, you know, we wrote a bunch of sections for it, we have coverage for it,
published some rules associated with it.
But it's, you know, it's very important to sort of stay on top of these things because
they are under active development.
And at any point, something like the Luma disruption could happen and
everyone flocks of something else.
So, I do think it's still too early to say for sure, like this is
definitely replacing Luma Stealer.
But, you know, having other options on the market and making sure that we
have detections and defense against it is super important.
So what's your recommendation then for defenders?
How should a security team go about protecting themselves against this?
Yeah, so first of all, update, make sure you have existing network signatures that will detect
this traffic and the command and control checking and exfiltration, the traffic, things like that.
There are rules that we published that are associated with this.
One thing that I really, really want to make sure to hammer home is that people are aware
and incorporate click fix technique into their existing security training.
Making sure that people are aware of the new types of social engineering and techniques
that are being used by threat actors is very, very important. Also, restricting your average user from running unauthorized
PowerShell is really important here because, like, literally copy-pasting running PowerShell
is like they're infecting themselves. And making it so that end users can't do that is something that is very important.
And yeah, I think those are kind of the two main things is to make sure that you're aware that this is happening
and doing, you know, practicing defensive depth and making it so that users can't, you know, be running PowerShell.
There are other ways that we've seen Amateria delivered as well.
So, things like SEO poisoning, fake software downloads,
things like that.
So that's also very, very important.
Restricting downloads from unknown domains,
unrecognized domains really block traffic,
especially from newer, just registered domains,
things like that are impersonating enterprise software,
for example, and also not downloading
unauthorized software.
So oftentimes you'll see a lot of information stealers will be masquerading as, for example,
a VPN app or a PDF reader or a document reader, things like that.
And so, you know, making, restricting those, the downloads from those types of tooling and only authorized, like making sure if you need something
like a PDF reader, go to your IT department
and ask for that, is I think important to note here as well.
User education, I think is really important and really big,
but also making sure that you as an organization
have defense in depth, and if a user does take
an unsafe action,
then they're blocked from the subsequent actions
that could happen as a result of that activity.
Our thanks to Celina Larsen from Proofpoint for joining us.
The research is titled Amatera Steeler, Our thanks to Celina Larson from Proofpoint for joining us.
The research is titled Amatera Steeler, rebranded ACR Steeler with improved evasion and sophistication.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K Cyberwire.
We'd love to hear from you.
We're conducting our annual survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes.
Please do check it out.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware and phishing to neutralize
identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.