Attack Flow Steps:
: Attackers initially compromise victims through social engineering via the ClickFix initial access vector. : Initial access vector used to deploy Amatera Stealer and NetSupport RAT. : Victims compelled to execute malicious commands in the Windows Run Prompt. : Multi-stage PowerShell commands executed to deliver malware payloads. : PowerShell stages use obfuscation and XOR decryption against AMSI_RESULT_NOT_DETECTED string. : PowerShell code disables AMSI by overwriting AmsiScanBuffer string in clr.dll memory with null bytes. : Packed with Agile.net, downloads encrypted payload from MediaFire and decrypts via RC2. : Downloads encrypted payload from MediaFire. : Decrypts payload via RC2 encryption algorithm. : Packer used to protect the Amatera Stealer payload. : Pure Crypter uses process injection via SetThreadContext API. : Rebranded ACR Stealer, C++ based information stealer with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services. : Harvests saved passwords, credit cards, and history from 149+ browsers including Chrome, Edge, Firefox, Opera, Brave. : Harvests data for 149+ browser-based crypto-currency wallets and 43+ password managers. : Uses WoW64 SysCalls to evade sandboxes, AV, and EDR via function stubs. : Circumvents Google Chrome and Microsoft Edge App-Bound Encryption via suspended process creation, injection, and COM method calls. : Harvests data from FTP clients, email clients, VPNs, password managers, and desktop crypto-wallets. : Communicates with C2 over TLS using Windows APIs for encryption/decryption. : Amatera C2 server hosted at AS 24940 Hetzner Online GmbH. : Uses HTTP POST requests with JSON-encoded data to communicate with C2. : Harvested data collected into zip archive and sent via HTTP POST to C2. : Collected data archived into zip format before exfiltration. : C2 server hosting PowerShell payload for NetSupport RAT delivery, AS 215540 Global Connectivity Solutions Llp. : PowerShell executed to download and invoke NetSupport RAT payload from remote server. : PowerShell checks if victim machine is part of a domain or has files of potential value like crypto wallets. : Legitimate Remote Monitoring and Management tool abused by threat actors for unauthorized remote access. : PowerShell downloads JPG file containing encrypted NetSupport RAT zip archive. : JPG file decrypted and unzipped to extract NetSupport client. : NetSupport C2 server configured in client32.ini, AS 207461 Hosting Industry Limited. : NetSupport Manager used for full remote access to victim computers
MITRE ATT&CK Techniques:
- T1566
- T1204
- T1059.001
- T1027
- T1562.001
- T1105
- T1140
- T1055
- T1555.003
- T1552.001
- T1497
- T1553.004
- T1005
- T1573
- T1071.001
- T1041
- T1560.001
- T1082
- T1219