Cybercriminals Exploit Fake CAPTCHA and Microsoft App-V to Deploy Amatera Stealer
In a newly uncovered cyberattack campaign, threat actors are employing a sophisticated blend of social engineering and legitimate Windows components to distribute the Amatera Stealer malware. This method underscores a significant evolution in malware delivery tactics, emphasizing stealth and user manipulation.
Deceptive Entry Point: The Fake CAPTCHA Prompt
The attack initiates when users encounter a counterfeit CAPTCHA prompt, a common security feature designed to differentiate humans from automated bots. Unlike traditional CAPTCHAs that require users to select images or enter text, this fraudulent prompt instructs users to manually execute a command via the Windows Run dialog. Victims are misled into believing that this action is a necessary verification step, thereby unwittingly facilitating the malware’s entry into their systems.
Exploiting Microsoft Application Virtualization (App-V)
Rather than utilizing conventional PowerShell execution methods, which are frequently monitored by security tools, the attackers exploit Microsoft’s Application Virtualization (App-V) framework. App-V is a legitimate Windows component that allows applications to run in a virtualized environment. By leveraging App-V, the attackers can bypass traditional detection mechanisms, as the execution appears to be a standard system process.
Intricate Attack Chain and Evasion Techniques
The attack chain is meticulously crafted to ensure that each stage reinforces the stealth of the previous one. The infection progression is contingent upon specific conditions being met in a precise sequence, making the malware execution highly dependent on user behavior. This deliberate design complicates analysis in sandboxed environments and reduces the likelihood of triggering security alerts.
Analysts from Blackpoint have observed that the campaign exhibits careful planning across multiple execution stages. The attackers chain together signed Microsoft components, execution gates tied to user actions, third-party services, and fully in-memory stages to optimize for reliability and stealth. This comprehensive approach ensures that the malware remains undetected until it achieves its objectives.
Delivery of Amatera Stealer
The ultimate payload of this campaign is the Amatera Stealer, a notorious information-harvesting malware family. Amatera Stealer is designed to exfiltrate sensitive data from infected systems, including credentials, financial information, and personal documents. The innovative delivery mechanism employed in this campaign highlights the evolving strategies of cybercriminals in packaging and distributing malicious code while evading defensive systems.
Understanding the Infection Mechanism
The infection chain begins when victims encounter the fraudulent CAPTCHA interface, which prompts them to paste and execute a command via the Run dialog. This command directs execution through SyncAppvPublishingServer.vbs, a legitimate signed script associated with Microsoft’s Application Virtualization framework, rather than launching PowerShell directly.
This approach is particularly effective because it alters the process execution path from the commonly monitored explorer.exe to powershell.exe sequence. Instead, execution flows through wscript.exe to an App-V publishing script, which blends into legitimate system activity on machines where App-V components are installed.
The attackers leverage the fact that App-V is built into modern Enterprise and Education versions of Windows 10 and Windows 11, allowing them to target valuable enterprise systems while naturally filtering out standard consumer installations lacking these components.
Evasion Strategies and Execution Gates
The initial command sets a temporary environment variable called ALLUSERSPROFILE_X, which functions as an execution marker proving the user manually ran the command. This variable becomes critically important later, acting as a gate preventing progression unless this specific marker exists in the system’s clipboard state.
The embedded PowerShell logic reconstructs sensitive functionality at runtime using aliases and wildcard resolution rather than embedding obvious command strings. For example, the script uses shorthand alias gal to resolve Get-Alias, then calls gal ix to retrieve the iex alias, which ultimately points to Invoke-Expression.
The loader immediately enforces a clipboard-based execution gate searching for the ALLUSERSPROFILE_X marker. If that marker is not present, the script displays decoy messages using script shell popups and then intentionally stalls by entering an infinite wait state. This deliberate inhibition prevents analysis in sandboxes that detonate the script without simulating the expected clipboard state, as they hang indefinitely rather than failing cleanly.
Only when the expected marker is found does execution progress to retrieve configuration data from a public Google Calendar file, allowing attackers to update delivery logic without redeploying earlier stages. The design demonstrates how multiple execution gates, each tied to specific user actions or system state conditions, reinforce the attack chain and make casual analysis significantly harder.
Implications and Recommendations
This campaign underscores the increasing sophistication of cybercriminals in blending social engineering with technical exploitation. By manipulating user behavior and leveraging trusted system components, attackers can effectively bypass traditional security measures.
To mitigate such threats, users and organizations should:
– Exercise Caution with Unusual Prompts: Be wary of unexpected verification requests, especially those instructing manual command execution.
– Monitor System Processes: Regularly review system processes for unusual activity, particularly those involving legitimate components like App-V being used in atypical ways.
– Implement Advanced Threat Detection: Utilize security solutions capable of detecting behavior-based anomalies and multi-stage attack chains.
– Educate Users: Conduct regular training sessions to raise awareness about social engineering tactics and the importance of verifying the legitimacy of prompts and commands.
By adopting a proactive and informed approach, individuals and organizations can enhance their defenses against such sophisticated cyber threats.
