Search This Blog

Malspam Campaign Spreads Novel META Info-stealer

The tool is sold at $125 for monthly subscribers or $1,000 for unlimited lifetime use and is promoted as an improved version of RedLine.

 

The new META malware, a unique info-stealer malware that appears to be gaining popularity among hackers, has been discovered in a malspam campaign. 

META, along with Mars Stealer and BlackGuard, is one of the latest info-stealers whose administrators aim to profit from Raccoon Stealer's absence from the market, which has left many looking for a new platform.  META was initially reported on the Bleeping Computer last month when KELA experts cautioned of its quick entry into the TwoEasy botnet marketplace. The product is advertised as an upgraded version of RedLine and costs $125 per month for monthly users or $1,000 for unlimited lifetime use. 

META is currently being utilised in attacks, according to security researcher and ISC Handler Brad Duncan. It is being used to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets. The infection chain in this campaign uses the "standard" approach of sending a macro-laced Excel spreadsheet as an email attachment to potential victims' inboxes. The communications make fictitious financial transfer promises that aren't very persuasive or well-crafted, yet they can nonetheless be effective against a considerable percentage of recipients. 

A DocuSign bait is included in the spreadsheet files, urging the target to "allow content" in order to launch the malicious VBS macro in the background. The malicious script will download a variety of payloads, including DLLs and executables, when it runs. To avoid detection by the security software, some of the downloaded files are base64 encoded or have their bytes reversed. 

One of the samples Duncan collected, for example, has its bytes reversed in the original file. The full payload is eventually assembled on the machine under the name "qwveqwveqw.exe," which is most likely random, and a new registry entry for persistence is created. The EXE file generating activity to a command and control server at 193.106.191[.]162, even after the system reboots, is clear and persistent evidence of the infection, restarting the infection process on the affected machine. 

One thing to keep in mind is that META uses PowerShell to tell Windows Defender to exclude .exe files in order to protect its files from discovery.
Share it:

Info Stealer

malspam

malware

Meta

RedLine Stealer