Skip to main content

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication

Medium
Published: Wed Jun 18 2025 (06/18/2025, 17:19:09 UTC)
Source: AlienVault OTX General

Description

Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.

AI-Powered Analysis

AILast updated: 06/18/2025, 20:01:47 UTC

Technical Analysis

Amatera Stealer is a sophisticated information-stealing malware identified as a rebranded and enhanced version of the previously known ACR Stealer. It is distributed primarily through ClearFake website injections, which are malicious code injections into legitimate websites to silently deliver the malware to victims. The malware employs advanced evasion techniques including the use of NTSockets for stealthy command and control (C2) communication, which helps it avoid detection by traditional network monitoring tools. Additionally, it leverages WoW64 syscalls to bypass user-mode hooking, a common technique used by security software to intercept and block malicious API calls. Amatera Stealer supports HTTPS requests, further obfuscating its network traffic and making detection more challenging. The primary objective of Amatera Stealer is to exfiltrate sensitive information from infected systems. It targets web browsers to steal stored credentials, cookies, and browsing data, as well as cryptocurrency wallets, which are high-value targets due to the direct financial impact. It also targets various software applications to broaden its data collection scope. The malware has the capability to execute secondary payloads, allowing attackers to deploy additional malicious tools or ransomware after initial infection. Amatera Stealer is actively developed and marketed as malware-as-a-service (MaaS), with subscription pricing tiers ranging from $199 to $1,499, indicating a commercial and scalable threat model. Technical indicators include multiple file hashes and domains associated with the malware’s infrastructure, such as "amaprox.icu" and "badnesspandemic.shop". The malware’s tactics align with several MITRE ATT&CK techniques, including credential dumping (T1056.001), web injects (T1573.001), process injection (T1055), and stealthy communication (T1102), among others. Despite its sophistication, there are no known exploits in the wild targeting specific vulnerabilities, suggesting infection relies on social engineering or exploitation of web injects to deliver the payload. Overall, Amatera Stealer represents a medium-severity threat due to its targeted data theft capabilities, evasion sophistication, and active commercial distribution, posing a significant risk to individuals and organizations handling sensitive credentials and cryptocurrency assets.

Potential Impact

For European organizations, Amatera Stealer poses a considerable risk primarily through the theft of credentials and sensitive data from browsers and cryptocurrency wallets. This can lead to unauthorized access to corporate accounts, financial theft, and potential lateral movement within networks if stolen credentials are reused. The malware’s ability to execute secondary payloads increases the risk of follow-on attacks such as ransomware or espionage. Given the widespread use of browsers and crypto wallets in Europe, especially in financial, technology, and governmental sectors, the impact could include financial losses, reputational damage, and regulatory penalties under GDPR for data breaches. The stealthy communication and evasion techniques make detection and response more difficult, potentially allowing prolonged unauthorized access. The MaaS model lowers the barrier for less skilled attackers to deploy this malware, increasing the likelihood of widespread infections. European organizations with remote or hybrid work environments may be particularly vulnerable due to increased exposure to web-based attack vectors. Additionally, the targeting of crypto wallets is relevant given the growing adoption of cryptocurrencies in Europe, including in countries like Germany, the Netherlands, and Switzerland.

Mitigation Recommendations

1. Implement advanced endpoint detection and response (EDR) solutions capable of detecting WoW64 syscall anomalies and unusual process injection behaviors. 2. Monitor network traffic for suspicious use of non-standard socket communications such as NTSockets, and enforce strict egress filtering to block unauthorized outbound connections, especially to known malicious domains like those identified (e.g., "amaprox.icu"). 3. Harden browsers by disabling or restricting the use of stored credentials and cookies where possible, and enforce multi-factor authentication (MFA) to reduce the impact of stolen credentials. 4. Educate users about the risks of phishing and web injects, emphasizing safe browsing practices and the dangers of interacting with suspicious websites. 5. Regularly audit and monitor cryptocurrency wallet usage and implement hardware wallets or cold storage solutions to protect high-value assets. 6. Employ application allowlisting to prevent execution of unauthorized secondary payloads. 7. Keep all software and security tools updated to detect emerging variants and employ threat intelligence feeds to block known indicators of compromise (IOCs) such as hashes and domains associated with Amatera Stealer. 8. Conduct regular incident response drills focusing on detection and containment of information stealers to improve organizational readiness.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication"]
Adversary
Amatera Stealer
Pulse Id
6852f50d17176b71367652f8
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash1b4a67d5fc078f87ab5574c970c297f4
hashda9825ec812af43e4177c25b0fc98917a1e5fd99
hash055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b
hash120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2
hash2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991
hash35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af
hash7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea
hashad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55

Domain

ValueDescriptionCopy
domainamaprox.icu
domainbadnesspandemic.shop
domainoverplanteasiest.top
domainb1.talismanoverblown.com
domaincv.cbrw.ru
domaintt.cbrw.ru

Threat ID: 685317a933c7acc046074fbc

Added to database: 6/18/2025, 7:46:49 PM

Last enriched: 6/18/2025, 8:01:47 PM

Last updated: 8/14/2025, 7:52:06 AM

Views: 54

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats