Novel Fake CAPTCHA Chain Delivering Amatera Stealer
Summary:
The Blackpoint SOC has identified a novel threat campaign delivering the Amatera Stealer through a sophisticated Fake CAPTCHA social engineering chain. This campaign targets users on Microsoft Windows Enterprise, Education, and Server editions by leveraging a signed Microsoft Application Virtualization (App-V) script, SyncAppvPublishingServer.vbs, as a Living-off-the-Land Binary (LOLBIN). The attack begins with a deceptive Fake CAPTCHA prompt that instructs users to manually execute a command via the Windows Run dialog, effectively bypassing standard execution chains like explorer.exe.
This initial access vector uses wscript.exe to proxy PowerShell execution through the trusted App-V component, a technique designed to evade security controls and disrupt analysis in sandbox environments lacking App-V. The malware avoids standard PowerShell networking cmdlets (like Invoke-WebRequest or Invoke-RestMethod) which are commonly hooked by EDRs. Instead, it manually constructs HTTP GET requests using .NET classes System.Net.Sockets.TcpClient and System.Net.Security.SslStream. It writes directly to the TLS stream and parses the HTTP header delimiter manually. When parsing the Google Calendar .ics file, the loader specifically scans for a VEVENT entry with a SUMMARY value of povvv. This acts as a selector to ignore decoy events in the calendar and extract the correct configuration. The adversary enforces strict execution gates, such as checking for specific clipboard contents and temporary environment variables (ALLUSERSPROFILE_X), causing the malware to quietly stall if these human-interaction markers are missing. The article notes that the string GETWELL is embedded within the malware payload. This is identified as a reliable, recurring static indicator for the Amatera family.
Security Officer Comments:
The campaign exhibits advanced evasion trends, including "living off someone else's infrastructure" and in-memory execution. The malware retrieves live configuration data from a public Google Calendar .ics file and downloads encrypted payloads hidden within PNG images via steganography hosted on public CDNs. The PowerShell stages utilize heavy obfuscation, abusing aliases and wildcards (e.g., gal for Get-Alias) to dynamically resolve sensitive cmdlets at runtime, while custom HTTPS fetch routines avoid standard networking telemetry. The final payload, Amatera Stealer, is an information-stealing malware capable of harvesting browser data and credentials, communicating via layered encryption to mask its Command and Control (C2) traffic. The risk assessment highlights a high severity for organizations with App-V enabled, as the campaign's deliberate avoidance of disk artifacts and reliance on legitimate third-party services allow it to slip past defenses designed to detect obvious malware.
Suggested Corrections:
IOCs are available in the blog post.
Tailored Recommendations from Blackpoint SOC
https://blackpointcyber.com/blog/novel-fake-captcha-chain-delivering-amatera-stealer/
The Blackpoint SOC has identified a novel threat campaign delivering the Amatera Stealer through a sophisticated Fake CAPTCHA social engineering chain. This campaign targets users on Microsoft Windows Enterprise, Education, and Server editions by leveraging a signed Microsoft Application Virtualization (App-V) script, SyncAppvPublishingServer.vbs, as a Living-off-the-Land Binary (LOLBIN). The attack begins with a deceptive Fake CAPTCHA prompt that instructs users to manually execute a command via the Windows Run dialog, effectively bypassing standard execution chains like explorer.exe.
This initial access vector uses wscript.exe to proxy PowerShell execution through the trusted App-V component, a technique designed to evade security controls and disrupt analysis in sandbox environments lacking App-V. The malware avoids standard PowerShell networking cmdlets (like Invoke-WebRequest or Invoke-RestMethod) which are commonly hooked by EDRs. Instead, it manually constructs HTTP GET requests using .NET classes System.Net.Sockets.TcpClient and System.Net.Security.SslStream. It writes directly to the TLS stream and parses the HTTP header delimiter manually. When parsing the Google Calendar .ics file, the loader specifically scans for a VEVENT entry with a SUMMARY value of povvv. This acts as a selector to ignore decoy events in the calendar and extract the correct configuration. The adversary enforces strict execution gates, such as checking for specific clipboard contents and temporary environment variables (ALLUSERSPROFILE_X), causing the malware to quietly stall if these human-interaction markers are missing. The article notes that the string GETWELL is embedded within the malware payload. This is identified as a reliable, recurring static indicator for the Amatera family.
Security Officer Comments:
The campaign exhibits advanced evasion trends, including "living off someone else's infrastructure" and in-memory execution. The malware retrieves live configuration data from a public Google Calendar .ics file and downloads encrypted payloads hidden within PNG images via steganography hosted on public CDNs. The PowerShell stages utilize heavy obfuscation, abusing aliases and wildcards (e.g., gal for Get-Alias) to dynamically resolve sensitive cmdlets at runtime, while custom HTTPS fetch routines avoid standard networking telemetry. The final payload, Amatera Stealer, is an information-stealing malware capable of harvesting browser data and credentials, communicating via layered encryption to mask its Command and Control (C2) traffic. The risk assessment highlights a high severity for organizations with App-V enabled, as the campaign's deliberate avoidance of disk artifacts and reliance on legitimate third-party services allow it to slip past defenses designed to detect obvious malware.
Suggested Corrections:
IOCs are available in the blog post.
Tailored Recommendations from Blackpoint SOC
- Restrict access to the Windows Run dialog via Group Policy to prevent Fake CAPTCHA style command execution.
- Remove App-V components where they are not required to eliminate abuse via SyncAppvPublishingServer.vbs.
- Educate users to recognize Fake CAPTCHA lures and avoid executing commands presented through pop-ups or unexpected prompts.
- Enable comprehensive PowerShell logging and monitor for alias-heavy, wildcard-based, or dynamically constructed execution patterns.
- Monitor for suspicious process lineage involving script hosts and PowerShell, such as explorer.exe → wscript.exe → powershell.exe → powershell.exe.
- Alert on PowerShell execution originating from App-V scripts such as SyncAppvPublishingServer.vbs.
- Monitor for outbound connections where the requested Host header or TLS SNI does not align with the resolved IP address.
https://blackpointcyber.com/blog/novel-fake-captcha-chain-delivering-amatera-stealer/