EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

SUMMARY :

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targets crypto-wallets, browsers, and messaging apps. The attack chain involves social engineering, PowerShell stages, and a .NET-based downloader. Amatera communicates with its C2 server using encrypted channels and can deploy additional payloads. The campaign selectively targets systems with valuable data or domain membership before deploying NetSupport RAT. Recommendations include disabling mshta.exe, restricting the Run prompt, implementing phishing awareness training, and using Next-Gen AV or EDR solutions.

OPENCTI LABELS :

amatera stealer,crypto-wallets,clickfix,acr stealer,c2 communication,evasion techniques,information theft,powershell,netsupport rat


AI COMMENTARY :

1. The recent EVALUSION campaign detailed in the [report] EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT represents a sophisticated malware operation that has drawn the attention of security teams around the globe. The eSentire Threat Response Unit uncovered that adversaries are exploiting the ClickFix utility as an initial access vector to infiltrate target environments and achieve persistence.

2. Threat actors begin their intrusion by sending social engineering lures or phishing emails that trick users into executing a ClickFix installer. Once ClickFix is running, it serves as the foothold for a multi-stage infection chain. The installer launches a PowerShell script that retrieves a .NET-based downloader, laying the groundwork for the deployment of advanced malware components.

3. At the heart of the campaign lies Amatera Stealer, a rebranded iteration of ACR Stealer outfitted with cutting-edge evasion techniques. By invoking WoW64 SysCalls, Amatera bypasses traditional security solutions and operates stealthily within 32-bit subsystems on 64-bit Windows hosts. Its primary objectives include harvesting cryptocurrency wallet credentials, browser-stored passwords, and data from popular messaging applications.

4. After stealing sensitive information, Amatera Stealer communicates with its command-and-control (C2) infrastructure using encrypted channels to avoid detection. The stealer’s modular design allows it to fetch additional payloads on demand, providing attackers with flexibility to tailor the malware suite to each compromised environment’s unique profile.

5. Once the threat actors confirm the presence of valuable assets or enterprise domain membership on a victim machine, they deploy NetSupport RAT to extend their control. NetSupport RAT offers remote desktop capabilities, keylogging, file transfer, and system reconnaissance features, granting persistent access and enabling lateral movement within the network.

6. Organizations looking to defend against the EVALUSION campaign must adopt a layered security posture. Disabling mshta.exe reduces the risk of executing malicious HTML applications, and restricting access to the Run prompt can prevent unsanctioned script launches. Encouraging phishing awareness training helps users recognize and report suspicious messages before they lead to compromise.

7. Finally, integrating Next-Generation Antivirus or Endpoint Detection and Response (EDR) platforms enhances visibility into anomalous behaviors such as unusual SysCalls activity, unauthorized PowerShell usage, and encrypted C2 data flows. Continuous threat hunting combined with regular patching and privilege management remains critical to thwarting sophisticated threats like Amatera Stealer and NetSupport RAT.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


EVALUSION Campaign Delivers Amatera Stealer and NetSupport...