Coverage from Bleeping Computer indicates a new malicious campaign is actively distributing the Amatera infostealing malware by combining a fake CAPTCHA verification method with a signed Microsoft Application Virtualization (App-V) script. This sophisticated attack chain utilizes legitimate Microsoft components to evade detection and deliver its harmful payload.The attack begins with a deceptive CAPTCHA prompt, i.e. ClickFix, tricking users into manually executing a command via the Windows Run dialog. This command abuses the SyncAppvPublishingServer.vbs script, a legitimate App-V component, to proxy PowerShell execution through trusted Microsoft binaries like wscript.exe. The malware includes anti-analysis checks to stall in sandbox environments. It retrieves configuration data from a Google Calendar event and uses steganography to hide payloads within PNG images on public CDNs. Ultimately, it decrypts and executes the Amatera infostealer, which is based on the ACR infostealer and offered as a malware-as-a-service.Organizations should consider implementing stricter policies on the use of the Windows Run dialog, disabling unnecessary App-V components, enhancing PowerShell logging, and monitoring network traffic for anomalies to mitigate such threats.Source: Bleeping Computer
Data Security, Malware, Security Operations
Amatera infostealer campaign leverages fake CAPTCHA and App-V scripts

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



