ClickFix Campaign Exploits Windows App-V to Deploy Amatera Infostealer

ClickFix Attack Chain Leverages Windows App-V to Deliver Amatera Infostealer

Security researchers have uncovered a new malicious campaign that combines the ClickFix technique with fake CAPTCHA prompts and a signed Microsoft Application Virtualization (App-V) script to deploy the Amatera infostealer on Windows systems. The attack highlights evolving tactics to bypass security controls and evade detection.

Attack Overview and Technical Details

The campaign begins with users encountering malicious websites or malvertising that triggers a fake CAPTCHA verification prompt. When victims interact with the CAPTCHA, the attack chain initiates, leveraging ClickFix—a method that abuses HTML injection to manipulate user clicks and execute malicious scripts.

The threat actors exploit Microsoft App-V, a legitimate application virtualization technology, by using a signed App-V script to execute arbitrary commands. This technique allows the attackers to bypass security restrictions, as App-V scripts are inherently trusted by Windows systems. The final payload, Amatera, is an infostealer designed to exfiltrate sensitive data, including credentials, browser cookies, and cryptocurrency wallet information.

Key technical components of the attack include:

• Fake CAPTCHA prompts to trick users into initiating the attack.
• ClickFix HTML injection to manipulate user interactions.
• Signed App-V scripts to execute malicious commands with elevated trust.
• Amatera infostealer for data exfiltration and persistence.

Impact and Risk Assessment

The Amatera infostealer poses significant risks to both individuals and organizations. Once deployed, the malware can:

• Harvest login credentials, browser cookies, and autofill data.
• Steal cryptocurrency wallet information and other financial details.
• Establish persistence on infected systems, enabling long-term data theft.

The use of signed App-V scripts complicates detection, as these scripts are typically whitelisted by security solutions. This campaign underscores the need for robust monitoring of application virtualization tools and user-initiated script executions.

Mitigation and Recommendations

Security teams should implement the following measures to mitigate risks associated with this campaign:

1. Monitor and Restrict App-V Script Execution

   • Audit and restrict the execution of signed App-V scripts to trusted sources only.
   • Implement application whitelisting to prevent unauthorized script execution.

2. Enhance User Awareness

   • Train employees to recognize fake CAPTCHA prompts and suspicious web interactions.
   • Encourage reporting of unusual pop-ups or verification requests.

3. Deploy Advanced Threat Detection

   • Utilize endpoint detection and response (EDR) solutions to monitor for anomalous script execution.
   • Implement behavioral analysis to detect infostealer activity, such as unauthorized data exfiltration.

4. Update and Patch Systems

   • Ensure all Windows systems and virtualization tools are updated with the latest security patches.
   • Disable or restrict App-V if not required for business operations.

5. Network-Level Protections

   • Block known malicious domains associated with Amatera and similar infostealers.
   • Deploy web filtering to prevent access to malvertising and phishing sites.

Conclusion

This campaign demonstrates the sophistication of modern cyber threats, combining social engineering, legitimate tool abuse, and malware deployment in a single attack chain. Organizations must adopt a multi-layered security approach to detect and mitigate such threats effectively. Vigilance, user education, and proactive monitoring are critical to defending against these evolving tactics.