Amatera Stealer is a sophisticated information-stealing malware identified as a rebranded and enhanced version of the previously known ACR Stealer. It is distributed primarily through ClearFake website injections, which are malicious code injections into legitimate websites to silently deliver the malware to victims. The malware employs advanced evasion techniques including the use of NTSockets for stealthy command and control (C2) communication, which helps it avoid detection by traditional network monitoring tools. Additionally, it leverages WoW64 syscalls to bypass user-mode hooking, a common technique used by security software to intercept and block malicious API calls. Amatera Stealer supports HTTPS requests, further obfuscating its network traffic and making detection more challenging. The primary objective of Amatera Stealer is to exfiltrate sensitive information from infected systems. It targets web browsers to steal stored credentials, cookies, and browsing data, as well as cryptocurrency wallets, which are high-value targets due to the direct financial impact. It also targets various software applications to broaden its data collection scope. The malware has the capability to execute secondary payloads, allowing attackers to deploy additional malicious tools or ransomware after initial infection. Amatera Stealer is actively developed and marketed as malware-as-a-service (MaaS), with subscription pricing tiers ranging from $199 to $1,499, indicating a commercial and scalable threat model. Technical indicators include multiple file hashes and domains associated with the malware’s infrastructure, such as "amaprox.icu" and "badnesspandemic.shop". The malware’s tactics align with several MITRE ATT&CK techniques, including credential dumping (T1056.001), web injects (T1573.001), process injection (T1055), and stealthy communication (T1102), among others. Despite its sophistication, there are no known exploits in the wild targeting specific vulnerabilities, suggesting infection relies on social engineering or exploitation of web injects to deliver the payload. Overall, Amatera Stealer represents a medium-severity threat due to its targeted data theft capabilities, evasion sophistication, and active commercial distribution, posing a significant risk to individuals and organizations handling sensitive credentials and cryptocurrency assets.

For European organizations, Amatera Stealer poses a considerable risk primarily through the theft of credentials and sensitive data from browsers and cryptocurrency wallets. This can lead to unauthorized access to corporate accounts, financial theft, and potential lateral movement within networks if stolen credentials are reused. The malware’s ability to execute secondary payloads increases the risk of follow-on attacks such as ransomware or espionage. Given the widespread use of browsers and crypto wallets in Europe, especially in financial, technology, and governmental sectors, the impact could include financial losses, reputational damage, and regulatory penalties under GDPR for data breaches. The stealthy communication and evasion techniques make detection and response more difficult, potentially allowing prolonged unauthorized access. The MaaS model lowers the barrier for less skilled attackers to deploy this malware, increasing the likelihood of widespread infections. European organizations with remote or hybrid work environments may be particularly vulnerable due to increased exposure to web-based attack vectors. Additionally, the targeting of crypto wallets is relevant given the growing adoption of cryptocurrencies in Europe, including in countries like Germany, the Netherlands, and Switzerland.

1. Implement advanced endpoint detection and response (EDR) solutions capable of detecting WoW64 syscall anomalies and unusual process injection behaviors. 2. Monitor network traffic for suspicious use of non-standard socket communications such as NTSockets, and enforce strict egress filtering to block unauthorized outbound connections, especially to known malicious domains like those identified (e.g., "amaprox.icu"). 3. Harden browsers by disabling or restricting the use of stored credentials and cookies where possible, and enforce multi-factor authentication (MFA) to reduce the impact of stolen credentials. 4. Educate users about the risks of phishing and web injects, emphasizing safe browsing practices and the dangers of interacting with suspicious websites. 5. Regularly audit and monitor cryptocurrency wallet usage and implement hardware wallets or cold storage solutions to protect high-value assets. 6. Employ application allowlisting to prevent execution of unauthorized secondary payloads. 7. Keep all software and security tools updated to detect emerging variants and employ threat intelligence feeds to block known indicators of compromise (IOCs) such as hashes and domains associated with Amatera Stealer. 8. Conduct regular incident response drills focusing on detection and containment of information stealers to improve organizational readiness.