Attackers use Windows App-V scripts to slip infostealer past enterprise defenses

A malware delivery campaign detailed by Blackpoint researchers employs an impressive array of tricks to deliver an infostealer to employees without triggering enterprise defenses or close examination by security researchers.

The attackers aim to get the Amatera Stealer installed on target Windows computers by using fake human verification pages – i.e., CAPTCHA pages – to trick users into manually pasting and executing a command via the Run dialog.

And here is where things get interesting. Usually, the command in question is executed in PowerShell, but in this campaign attackers don’t invoke it directly.

“The supplied command instead abuses SyncAppvPublishingServer.vbs, a signed Microsoft script associated with Application Virtualization (App-V),” the researchers explained.

“Under normal conditions, this script is used to publish and manage virtualized enterprise applications. In this campaign, it serves as a [Living Off the Land Binary], allowing the attacker to proxy PowerShell execution through a trusted Microsoft component.

The infection chain uses wscript.exe, a Windows scripting tool, and then runs an App-V publishing script, but can only work of systems where App-V is present and enabled: machines running modern Windows Server and Windows 10 and 11 Enterprise and Education editions, i.e., higher-value organizational (corporate) systems. If the target is on a personal computer running a Home or Pro installation, the infection process will fail.

It will also fail if it detects that the command is not executed manually (as opposed to “detonated” in a sandbox).

On the “right” target system, the infection chain will continue, and the in-memory executed loader script will pull data from a public Google Calendar (.ics) file that will help it retrieve additional loader stages.

In the next stage, a PNG image file that holds an encrypted and compressed PowerShell payload is retrieved and processed (also in memory), and it sets the stage for the retrieval and final in-memory execution of a Windows PE payload identified as Amatera Stealer.

Things to look out for

“What makes this campaign worth paying attention to isn’t the payload itself, but how deliberately it avoids drawing attention along the way,” the researchers noted.

“By chaining together signed Microsoft components, execution gates based on user behavior, third-party services, and fully in-memory stages, the actor is optimizing for reliability. This is the kind of activity that can slip past environments built to detect obvious malware, quietly succeed without triggering alarms, and only surface once the damage is already done.”

Aside from educating employees to recognize fake CAPTCHAs and restricting access to the Windows Run dialog, the researchers advise organizations to enable comprehensive PowerShell logging and monitoring for suspicious execution patterns, remove App-V components where they are not required (or make sure that PowerShell execution originating from App-V scripts will trigger alerts).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!