New Meta Information Stealer Distributed in Spam Campaign

A malspam campaign has been discovered distributing the new META malware, a new information-stealing malware that seems to be gaining popularity among cybercriminals.

META is one of the new information stealers, along with Mars Stealer and BlackGuard, whose operators want to take advantage of Raccoon Stealer’s exit from the market, which has left many people looking for their next platform.

Bleeping Computer first reported on META last month, when KELA analysts warned of its aggressive entry into the TwoEasy botnet market.

The tool retails for $125 for monthly subscribers or $1,000 for unlimited lifetime use and is billed as an upgraded version of RedLine.

New Meta malspam campaign

A new spam campaign seen by security researcher and ISC manager Brad Duncan is proof that META is being actively used in attacks, deployed to steal passwords stored in Chrome, Edge and Firefox, as well as cryptocurrency wallets. cash.

The chain of infection in the campaign in question follows the “standard” approach of a macro-laced Excel spreadsheet arriving in the inboxes of potential victims as email attachments.

META infection chain on campaign spotted
META infection chain on campaign spotted (isc.sans.edu)

The messages make false remittance claims that aren’t particularly convincing or well-crafted, but can still be effective against a significant percentage of recipients.

Email containing malicious Excel attachment
Email containing malicious Excel attachment (isc.sans.edu)

The spreadsheet files feature a DocuSign decoy that prompts the target to “enable content” required to run the malicious VBS macro in the background.

The DocuSign lure that tricks users into activating content
The DocuSign lure that tricks users into activating content (isc.sans.edu)

When the malicious script executes, it downloads various payloads, including DLLs and executables, from multiple sites, such as GitHub.

Some of the downloaded files are base64 encoded or byte reversed to circumvent detection by security software. For example, below is one of the samples collected by Duncan that was byte swapped in the original upload.

dll-reverse-order
DLL registered in reverse byte order (isc.sans.edu)

Eventually the final payload is assembled on the machine as “qwveqwveqw.exe”, which is probably random, and a new registry key is added for persistence.

New registry key and malicious executable
New registry key and malicious executable (isc.sans.edu)

A clear and persistent sign of the infection is the EXE file driving traffic to a command and control server at 193.106.191[.]162, even after rebooting the system, by restarting the infection process on the compromised machine.

Malicious traffic captured in Wireshark
Malicious traffic captured in Wireshark (isc.sans.edu)

One thing to note is that META modifies Windows Defender via PowerShell to exclude .exe files from scanning, to protect its files from detection.

If you want to drill down into the details of the malicious traffic for detection or curiosity purposes, Duncan has published the PCAP of the infection traffic here.

Comments are closed.