Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.
AI Analysis
Technical Summary
Amatera Stealer is a sophisticated information-stealing malware identified as a rebranded and enhanced version of the previously known ACR Stealer. It is distributed primarily through ClearFake website injections, which are malicious code injections into legitimate websites to silently deliver the malware to victims. The malware employs advanced evasion techniques including the use of NTSockets for stealthy command and control (C2) communication, which helps it avoid detection by traditional network monitoring tools. Additionally, it leverages WoW64 syscalls to bypass user-mode hooking, a common technique used by security software to intercept and block malicious API calls. Amatera Stealer supports HTTPS requests, further obfuscating its network traffic and making detection more challenging. The primary objective of Amatera Stealer is to exfiltrate sensitive information from infected systems. It targets web browsers to steal stored credentials, cookies, and browsing data, as well as cryptocurrency wallets, which are high-value targets due to the direct financial impact. It also targets various software applications to broaden its data collection scope. The malware has the capability to execute secondary payloads, allowing attackers to deploy additional malicious tools or ransomware after initial infection. Amatera Stealer is actively developed and marketed as malware-as-a-service (MaaS), with subscription pricing tiers ranging from $199 to $1,499, indicating a commercial and scalable threat model. Technical indicators include multiple file hashes and domains associated with the malware’s infrastructure, such as "amaprox.icu" and "badnesspandemic.shop". The malware’s tactics align with several MITRE ATT&CK techniques, including credential dumping (T1056.001), web injects (T1573.001), process injection (T1055), and stealthy communication (T1102), among others. Despite its sophistication, there are no known exploits in the wild targeting specific vulnerabilities, suggesting infection relies on social engineering or exploitation of web injects to deliver the payload. Overall, Amatera Stealer represents a medium-severity threat due to its targeted data theft capabilities, evasion sophistication, and active commercial distribution, posing a significant risk to individuals and organizations handling sensitive credentials and cryptocurrency assets.
Potential Impact
For European organizations, Amatera Stealer poses a considerable risk primarily through the theft of credentials and sensitive data from browsers and cryptocurrency wallets. This can lead to unauthorized access to corporate accounts, financial theft, and potential lateral movement within networks if stolen credentials are reused. The malware’s ability to execute secondary payloads increases the risk of follow-on attacks such as ransomware or espionage. Given the widespread use of browsers and crypto wallets in Europe, especially in financial, technology, and governmental sectors, the impact could include financial losses, reputational damage, and regulatory penalties under GDPR for data breaches. The stealthy communication and evasion techniques make detection and response more difficult, potentially allowing prolonged unauthorized access. The MaaS model lowers the barrier for less skilled attackers to deploy this malware, increasing the likelihood of widespread infections. European organizations with remote or hybrid work environments may be particularly vulnerable due to increased exposure to web-based attack vectors. Additionally, the targeting of crypto wallets is relevant given the growing adoption of cryptocurrencies in Europe, including in countries like Germany, the Netherlands, and Switzerland.
Mitigation Recommendations
1. Implement advanced endpoint detection and response (EDR) solutions capable of detecting WoW64 syscall anomalies and unusual process injection behaviors. 2. Monitor network traffic for suspicious use of non-standard socket communications such as NTSockets, and enforce strict egress filtering to block unauthorized outbound connections, especially to known malicious domains like those identified (e.g., "amaprox.icu"). 3. Harden browsers by disabling or restricting the use of stored credentials and cookies where possible, and enforce multi-factor authentication (MFA) to reduce the impact of stolen credentials. 4. Educate users about the risks of phishing and web injects, emphasizing safe browsing practices and the dangers of interacting with suspicious websites. 5. Regularly audit and monitor cryptocurrency wallet usage and implement hardware wallets or cold storage solutions to protect high-value assets. 6. Employ application allowlisting to prevent execution of unauthorized secondary payloads. 7. Keep all software and security tools updated to detect emerging variants and employ threat intelligence feeds to block known indicators of compromise (IOCs) such as hashes and domains associated with Amatera Stealer. 8. Conduct regular incident response drills focusing on detection and containment of information stealers to improve organizational readiness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Switzerland, Italy, Spain
Indicators of Compromise
- hash: 1b4a67d5fc078f87ab5574c970c297f4
- hash: da9825ec812af43e4177c25b0fc98917a1e5fd99
- hash: 055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b
- hash: 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2
- hash: 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991
- hash: 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af
- hash: 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea
- hash: ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55
- domain: amaprox.icu
- domain: badnesspandemic.shop
- domain: overplanteasiest.top
- domain: b1.talismanoverblown.com
- domain: cv.cbrw.ru
- domain: tt.cbrw.ru
Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
Description
Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.
AI-Powered Analysis
Technical Analysis
Amatera Stealer is a sophisticated information-stealing malware identified as a rebranded and enhanced version of the previously known ACR Stealer. It is distributed primarily through ClearFake website injections, which are malicious code injections into legitimate websites to silently deliver the malware to victims. The malware employs advanced evasion techniques including the use of NTSockets for stealthy command and control (C2) communication, which helps it avoid detection by traditional network monitoring tools. Additionally, it leverages WoW64 syscalls to bypass user-mode hooking, a common technique used by security software to intercept and block malicious API calls. Amatera Stealer supports HTTPS requests, further obfuscating its network traffic and making detection more challenging. The primary objective of Amatera Stealer is to exfiltrate sensitive information from infected systems. It targets web browsers to steal stored credentials, cookies, and browsing data, as well as cryptocurrency wallets, which are high-value targets due to the direct financial impact. It also targets various software applications to broaden its data collection scope. The malware has the capability to execute secondary payloads, allowing attackers to deploy additional malicious tools or ransomware after initial infection. Amatera Stealer is actively developed and marketed as malware-as-a-service (MaaS), with subscription pricing tiers ranging from $199 to $1,499, indicating a commercial and scalable threat model. Technical indicators include multiple file hashes and domains associated with the malware’s infrastructure, such as "amaprox.icu" and "badnesspandemic.shop". The malware’s tactics align with several MITRE ATT&CK techniques, including credential dumping (T1056.001), web injects (T1573.001), process injection (T1055), and stealthy communication (T1102), among others. Despite its sophistication, there are no known exploits in the wild targeting specific vulnerabilities, suggesting infection relies on social engineering or exploitation of web injects to deliver the payload. Overall, Amatera Stealer represents a medium-severity threat due to its targeted data theft capabilities, evasion sophistication, and active commercial distribution, posing a significant risk to individuals and organizations handling sensitive credentials and cryptocurrency assets.
Potential Impact
For European organizations, Amatera Stealer poses a considerable risk primarily through the theft of credentials and sensitive data from browsers and cryptocurrency wallets. This can lead to unauthorized access to corporate accounts, financial theft, and potential lateral movement within networks if stolen credentials are reused. The malware’s ability to execute secondary payloads increases the risk of follow-on attacks such as ransomware or espionage. Given the widespread use of browsers and crypto wallets in Europe, especially in financial, technology, and governmental sectors, the impact could include financial losses, reputational damage, and regulatory penalties under GDPR for data breaches. The stealthy communication and evasion techniques make detection and response more difficult, potentially allowing prolonged unauthorized access. The MaaS model lowers the barrier for less skilled attackers to deploy this malware, increasing the likelihood of widespread infections. European organizations with remote or hybrid work environments may be particularly vulnerable due to increased exposure to web-based attack vectors. Additionally, the targeting of crypto wallets is relevant given the growing adoption of cryptocurrencies in Europe, including in countries like Germany, the Netherlands, and Switzerland.
Mitigation Recommendations
1. Implement advanced endpoint detection and response (EDR) solutions capable of detecting WoW64 syscall anomalies and unusual process injection behaviors. 2. Monitor network traffic for suspicious use of non-standard socket communications such as NTSockets, and enforce strict egress filtering to block unauthorized outbound connections, especially to known malicious domains like those identified (e.g., "amaprox.icu"). 3. Harden browsers by disabling or restricting the use of stored credentials and cookies where possible, and enforce multi-factor authentication (MFA) to reduce the impact of stolen credentials. 4. Educate users about the risks of phishing and web injects, emphasizing safe browsing practices and the dangers of interacting with suspicious websites. 5. Regularly audit and monitor cryptocurrency wallet usage and implement hardware wallets or cold storage solutions to protect high-value assets. 6. Employ application allowlisting to prevent execution of unauthorized secondary payloads. 7. Keep all software and security tools updated to detect emerging variants and employ threat intelligence feeds to block known indicators of compromise (IOCs) such as hashes and domains associated with Amatera Stealer. 8. Conduct regular incident response drills focusing on detection and containment of information stealers to improve organizational readiness.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication"]
- Adversary
- Amatera Stealer
- Pulse Id
- 6852f50d17176b71367652f8
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash1b4a67d5fc078f87ab5574c970c297f4 | — | |
hashda9825ec812af43e4177c25b0fc98917a1e5fd99 | — | |
hash055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b | — | |
hash120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 | — | |
hash2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 | — | |
hash35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af | — | |
hash7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea | — | |
hashad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 | — |
Domain
Value | Description | Copy |
---|---|---|
domainamaprox.icu | — | |
domainbadnesspandemic.shop | — | |
domainoverplanteasiest.top | — | |
domainb1.talismanoverblown.com | — | |
domaincv.cbrw.ru | — | |
domaintt.cbrw.ru | — |
Threat ID: 685317a933c7acc046074fbc
Added to database: 6/18/2025, 7:46:49 PM
Last enriched: 6/18/2025, 8:01:47 PM
Last updated: 8/14/2025, 3:25:00 PM
Views: 55
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreatFox IOCs for 2025-08-17
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.