Novel Fake CAPTCHA Chain Delivering Amatera Stealer
Extreme TLDR: Blackpoint SOC reports a Fake CAPTCHA campaign delivering Amatera Stealer via a signed Microsoft script, leveraging legitimate Windows components to evade detection. Key tactics include user behavior validation, live configuration from Google Calendar, and PNG steganography for payload delivery. The attack chain is designed to progress only when specific conditions are met, making it hard for detection systems to identify.
Key Findings:
– Uses Fake CAPTCHA and a LO-LBIN script.
– Validates user interactions and clipboard contents.
– Pulls configurations from a Google Calendar.
– Utilizes PNG images for encrypted payload delivery.
– Executes final payload—Amatera Stealer—using complex, layered encryption and evasive networking techniques.
Recommendations: Restrict access to the Run dialog, remove unnecessary App-V components, educate users about lures, enable PowerShell logging, and monitor for suspicious execution patterns.
https://blackpointcyber.com/blog/novel-fake-captcha-chain-delivering-amatera-stealer/



