EXECUTIVE SUMMARY
The EVALUSION Campaign shows how attackers continue to use simple tricks to start strong infection chains without relying on complex methods. The campaign begins with social steps that guide victims into running commands through the Windows Run prompt, which starts the first stage of the attack. These actions lead to the delivery of Amatera Stealer and NetSupport RAT, two tools used to take data and gain remote access. Amatera Stealer is the main tool in this campaign and is built to take saved passwords, crypto-wallet details, browser information, and data from many common apps. Because the original code for this stealer was released earlier, multiple groups can now copy and use it in new attacks. NetSupport RAT acts as the remote-control tool, giving attackers complete access once the stealer finishes collecting data.
The EVALUSION Campaign uses several hidden PowerShell stages to launch Amatera Stealer and prepare the system for NetSupport RAT. Early stages use decoding steps that unlock the next script and memory changes that turn off basic Windows checks. One step removes a key scanning function in Windows, making the next stages harder to detect. After that, a .NET downloader brings in an encrypted file that later turns into the main Amatera Stealer payload. This process runs mostly in memory, helping it common endpoint checks. Amatera Stealer then collects data from browsers, apps, wallets, and saved passwords. It also uses methods that skip user-mode checks, making it harder for basic security tools to see what it is doing. Communication with the command server uses simple JSON messages wrapped in encrypted traffic, which blends in with normal activity. Once Amatera finishes, the campaign uses the loader feature to deliver NetSupport RAT. This RAT gives full remote access and lets attackers move around the system without raising attention. The attack chain is simple at the start but becomes more layered as it continues.
The EVALUSION Campaign highlights how attackers mix social steps, hidden scripts, and flexible tools to build a steady and long-lasting attack flow. By using simple user actions as the starting point, the campaign avoids the need for advanced exploits. Once the process begins, each stage prepares the next by disabling checks, unpacking files, and keeping most actions in memory. Amatera Stealer handles the main data-theft tasks, while NetSupport RAT provides full remote access, allowing attackers to return whenever they want. Both tools support extra features that expand the attack beyond the initial entry. The campaign repeats patterns seen in earlier activity, showing clear reuse of known methods and shared code. The use of regular admin-looking tools like NetSupport RAT helps the attackers blend into normal behavior. Overall, the EVALUSION Campaign shows how simple entry methods, combined with a strong stealer and a remote-access tool, can create an effective attack path that stays hidden and continues to evolve.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1204.002 | User Execution | Malicious File |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1106 | Native API | – |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055.002 | Process Injection | Portable Executable Injection |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1082 | System Information Discovery | – |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Collection | T1119 | Automated Collection | – |
| Collection | T1114.002 | Email Collection | Local Email Collection |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Command & Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Command & Control | T1071.001 | Web Protocols | HTTP |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Execution | E1204 | User Execution |
| Defense Evasion | E1027.m03 | Encoding - Custom Algorithm |
| Command and Control | C0002.002 | HTTP Communication (Client) |
| Credential Access | C0051 | Read File |
| Collection | F0002.002 | Keylogging (Polling) |
| Discovery | E1082.m02 | Enumerate Environment Variables |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Anti-Behavioral Analysis | B0007.003 | Human User Check |
REFERENCES:
The following reports contain further
https://securityonline.info/amatera-stealer-campaign-uses-clickfix-to-deploy-malware-bypassing-edr-by-patching-amsi-in-memory/
https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat