Read the full Story:
New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer
Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
hackread.com
New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer
- Thread starter Brownie2019
- Start date
hackread.com
Could this saftey check be reversely engineered to abort the execution of the second stage (PS command)?
Any method to hide the "specific marker to prove a human actually pasted the command"?
Last edited:
The attack chain is a multi-stage process designed for maximum stealth and evasion of automated sandboxes.
Initial Access (Social Engineering)
Users encounter a fake "I am not a robot" check on a compromised or malicious website. Instead of a standard click, they are instructed to press Windows Key + R, paste a malicious command from their clipboard, and hit Enter.
Living off the Land (LOLBins)
The pasted command executes a legitimate, signed Windows script:
SyncAppvPublishingServer.vbs. This tool is part of the Microsoft Application Virtualization (App-V) suite. Because the script is a trusted part of the OS, it often bypasses standard antivirus and EDR solutions.
Stealth & Persistence
Public Infrastructure Abuse
The malware retrieves its next-stage instructions from a public Google Calendar (.ics) file, making the C2 traffic appear as normal encrypted web traffic.
Steganography
Malicious code is hidden within the pixel data of seemingly harmless PNG images hosted on public sites like Imgur.
Anti-Analysis
The script checks the clipboard for a specific human-generated marker and verifies if it is being run in a sandbox. If it detects analysis or incorrect input, it enters an infinite wait state. It uses the decryption key AMSI_RESULT_NOT_DETECTED to further deceive security software.
Payload (Amatera Stealer)
The final goal is the installation of Amatera Stealer, designed to exfiltrate saved browser passwords, credit card information, and other sensitive data.
Educate users that no legitimate CAPTCHA or website will ever ask them to use the Windows + R shortcut or paste commands into the Windows Run box.
Hardening LOLBins
If App-V is not required in your environment, consider restricting or disabling the execution of SyncAppvPublishingServer.vbs via AppLocker, Windows Defender Application Control (WDAC), or GPO.
Network Monitoring
Monitor for anomalous outbound connections to public cloud providers (Google, Imgur) from administrative processes like WScript.exe or CScript.exe.
Credential Management
Implement Multi-Factor Authentication (MFA) across all services to mitigate the impact of stolen passwords if an infection occurs.
(System Binary Proxy Execution: Mshta/VBScript)
MITRE ATT&CK: T1027.003
(Steganography)
NIST SP 800-53: SI-4
(Information System Monitoring)
Initial Access (Social Engineering)
Users encounter a fake "I am not a robot" check on a compromised or malicious website. Instead of a standard click, they are instructed to press Windows Key + R, paste a malicious command from their clipboard, and hit Enter.
Living off the Land (LOLBins)
The pasted command executes a legitimate, signed Windows script:
SyncAppvPublishingServer.vbs. This tool is part of the Microsoft Application Virtualization (App-V) suite. Because the script is a trusted part of the OS, it often bypasses standard antivirus and EDR solutions.
Stealth & Persistence
Public Infrastructure Abuse
The malware retrieves its next-stage instructions from a public Google Calendar (.ics) file, making the C2 traffic appear as normal encrypted web traffic.
Steganography
Malicious code is hidden within the pixel data of seemingly harmless PNG images hosted on public sites like Imgur.
Anti-Analysis
The script checks the clipboard for a specific human-generated marker and verifies if it is being run in a sandbox. If it detects analysis or incorrect input, it enters an infinite wait state. It uses the decryption key AMSI_RESULT_NOT_DETECTED to further deceive security software.
Payload (Amatera Stealer)
The final goal is the installation of Amatera Stealer, designed to exfiltrate saved browser passwords, credit card information, and other sensitive data.
Recommendation / Remediation
User Awareness (Critical)Educate users that no legitimate CAPTCHA or website will ever ask them to use the Windows + R shortcut or paste commands into the Windows Run box.
Hardening LOLBins
If App-V is not required in your environment, consider restricting or disabling the execution of SyncAppvPublishingServer.vbs via AppLocker, Windows Defender Application Control (WDAC), or GPO.
Network Monitoring
Monitor for anomalous outbound connections to public cloud providers (Google, Imgur) from administrative processes like WScript.exe or CScript.exe.
Credential Management
Implement Multi-Factor Authentication (MFA) across all services to mitigate the impact of stolen passwords if an infection occurs.
References
MITRE ATT&CK: T1218.011(System Binary Proxy Execution: Mshta/VBScript)
MITRE ATT&CK: T1027.003
(Steganography)
NIST SP 800-53: SI-4
(Information System Monitoring)
Last edited:
The "safety check" used in this campaign is a form of environmental keying. It requires a specific string literal to exist in the system clipboard to decrypt or trigger the next stage (the PowerShell command). Technically, an automated defensive routine can "abort" the execution by clearing or spoofing the clipboard, while "hiding" the marker is a technique used by attackers to make the command appear less suspicious to the user.
To programmatically force the malware to abort, you can implement a "Clipboard Sanitizer" script or GPO. If the system detects a launch of WScript.exe or PowerShell.exe with arguments containing SyncAppvPublishingServer, a defensive tool can immediately flush the clipboard.
Powershell
Code:
# Monitor for suspicious process and clear clipboard to break the "Human Check"
while($true) {
if (Get-Process | Where-Object {$_.CommandLine -like "*SyncAppvPublishingServer*"}) {
Set-Clipboard -Value $null
Write-Host "Suspicious process detected: Clipboard cleared to abort second stage."
}
Start-Sleep -Seconds 1
}Identifying the Marker
If you are performing forensic analysis on a captured command.Paste the captured command into a disposable Text Editor (Notepad++), not a shell.
Look for the Get-Clipboard or System.Windows.Forms.Clipboard calls.
The string literal compared against those calls is your "Marker."
Proactive Prevention (NIST/SANS Best Practices)
NIST SP 800-53 (AC-6)Follow the Principle of Least Privilege. Users should not have the permissions required for the App-V scripts to fetch external payloads.
Attack Surface Reduction (ASR)
Enable the rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" and "Block process creations originating from PSExec and WMI commands" to stop the theft even if the "human check" passes.
Last edited:
I would have liked to analyze this fake CAPTCHA.
Real CAPTCHAs are 3p-frames.
They are usually blocked by adblocks in Enhanced Easy mode.
You don't see the destination website before clicking on geometric shapes or fire hydrants...
I bet it appeared as a pop-up.
Another clue that should raise suspicion.
I never faced fake CAPTCHA before; I do not know if it is the adblocker or my selectivity of websites to visit.
Same here. The only ones I've experienced, have been shown, posted on this forum
I believe adblocker is as useful as AV.
Your observation is correct, standard CAPTCHAs (like reCAPTCHA or hCaptcha) are delivered via third-party frames (iframes) that require browser-based interaction (clicking hydrants/shapes) within a secure sandbox. The Amatera campaign replaces this technical check with a visual overlay that instructs the user to take actions outside the browser, specifically, using the Windows Run box, which is a definitive indicator of a scam.
Blocking "frames" alone will not stop this attack. Unlike legitimate CAPTCHAs that use third-party iframes, this scam uses on-page overlays and JavaScript to hijack your clipboard. While an ad blocker can block the malicious scripts that generate the fake CAPTCHA, it does not stop the attack if the malicious code is already integrated into the compromised website's primary code.
I wrote that even an average user should be suspicious of how this fake CAPTCHA appears on screen.
P.S.
Forgive me, I hadn't read your conclusion carefully.
My answer is: it depends.
My adblock would also block the website if it were outside my 9 TLDs, and the DNS would probably also block it if it were outside certain geographical regions.
Last edited:
If you know the characteristics of legitimate CAPTCHAs,
you have nothing to fear from fake CAPTCHAs.
Actually I do not; I install uBO and it takes care of the rest.
It is highly unlikely that an average user would notice these technical discrepancies, as the attack is specifically designed to exploit behavioral habits rather than technical curiosity. While a sophisticated user or security researcher might recognize the absence of a standard third-party frame (like reCAPTCHA or hCaptcha), the average user is more likely to be swayed by the visual urgency of the fake verification.I wrote that even an average user should be suspicious of how this fake CAPTCHA appears on screen.
While I touched on this in my first post, it bears repeating that...
User Awareness (Critical)
Educate users that no legitimate CAPTCHA or website will ever ask them to use the Windows + R shortcut or paste commands into the Windows Run box.
Manually whitelisting TLDs or configuring Geo-blocking is not practical for the average user. These methods are "High-Effort/High-Reward" strategies suitable for sysadmins and power users, but they create a high risk of "breaking the internet" for a standard user who just wants to browse without troubleshooting why a specific .io or .me site won't load.
Blocking 1p-scripts outside my 9 TLDs would have stopped the fake CATCHA.
If the conditions I have already described had occurred, this would have been the main factor in blocking the threat.
I recognize that this is not easily manageable by the average user.
That isn't true. I asked Gemini to create a list of the most abused TLDs recently and just disable those in NextDNS. AI can now help you emulate any high security strategies and hold your hand if you just want it.
Attachments
That's what I like about you, you do and have acknowledged in other posts that, "this may be beyond the average user", or, "easily manageable by the average user" and you get that
Last edited:
I believe you meant to say Cargo Cult Security" (or Cargo Culting). It describes the practice of applying technical configurations or security "rituals", such as those generated by an AI or copied from a forum, without understanding the underlying mechanisms. This creates a dangerous illusion of safety while potentially introducing new vulnerabilities or system instabilities that the user is unqualified to fix.
This is a a critical psychological vulnerability, no tool, not even AI, is a substitute for technical literacy. Thus it stands to reason what I stated is True for an average user.
@Divergent I've kind of gotten that feeling from Gemini when reviewing some of my PC security apps and browser configurations, of what I'm using and the proper settings.
A sense of "false peace" even though I have confirmed and questioned (verified) its replies. I mean it's helpful to be sure, but it can ....
A sense of "false peace" even though I have confirmed and questioned (verified) its replies. I mean it's helpful to be sure, but it can ....
This will sound familiar I'm sure.
NIST SP 800-114
Emphasizes that "Security is a process, not a product." If your "peace" comes from a single tool's report rather than an ongoing understanding of your risks, that peace is likely false.
You may also like...
-
Infostealers without borders: macOS, Python stealers, and platform abuse (A report by Microsoft)- Started by Khushal
- Replies: 1
-
Phishing Pages for Zoom and Google Meet Install Monitoring Tool- Started by Brownie2019
- Replies: 1
-
New PayPal Scam Sends Verified Invoices With Fake Support Numbers
- Started by Brownie2019
- Replies: 2
-
Hackers Launch Over 91,000 Attacks on AI Systems Using Fake Ollama Servers
- Started by Brownie2019
- Replies: 2
-
Phishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic- Started by Parkinsond
- Replies: 1