"As is typically the case with ClickFix attacks, users are tricked into executing malicious commands using the Windows Run dialog in order to complete a reCAPTCHA verification check on bogus phishing pages. The command initiates a multi-step process that involves using the "mshta.exe" binary to launch a PowerShell script that's responsible for downloading a .NET downloaded from MediaFire, a file hosting service."
"The payload is the Amatera Stealer DLL packed using PureCrypter, a C#-based multi-functional crypter and loader that's also advertised as a MaaS offering by a threat actor named PureCoder. The DLL is injected into the "MSBuild.exe" process, following which the stealer harvests sensitive data and contacts an external server to execute a PowerShell command to fetch and run NetSupport RAT."
"Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year. "Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services," the Canadian cybersecurity vendor said. "Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Virus solutions, and EDR products.""
The EVALUSION campaign uses ClickFix social engineering to trick users into executing commands via the Windows Run dialog to pass bogus reCAPTCHA checks. The attack chain uses mshta.exe to launch a PowerShell script that downloads a .NET payload from MediaFire. The payload is an Amatera Stealer DLL packed with PureCrypter and injected into MSBuild.exe to harvest wallets, browsers, messaging apps, FTP clients, and email credentials. Amatera is sold via subscription plans ranging from $199/month to $1,499/year and incorporates WoW64 SysCalls to evade user-mode hooking and security products. The stealer contacts an external server to fetch and run NetSupport RAT.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]