The new META malware, a new info-stealer that looks to be gaining popularity among hackers, has been discovered in a malspam campaign. META, along with Mars Stealer and BlackGuard, is one of the new info-stealers whose owners hope to profit from Raccoon Stealer’s absence from the market, which has left many looking for a new platform.
According to security researcher and ISC Handler Brad Duncan, META is now being exploited in attacks. It’s being used to steal passwords and cryptocurrency wallets from Chrome, Firefox, and Edge. The infection chain in this campaign uses the “standard” technique of sending a macro-laced Excel spreadsheet as an email attachment to potential victims’ inboxes.
The messages make fictitious financial transfer promises that aren’t very persuasive or well-crafted, yet they can nonetheless be successful against a considerable number of receivers. A DocuSign bait is included in the spreadsheet files, urging the victim to “allow content” to launch the malicious VBS macro in the background. When the malicious script is launched, it will download several payloads, including DLLs and executables, from various domains, like GitHub.
Some downloaded files are base64 encoded or have their bytes inverted to avoid being caught by security software. The full payload is ultimately assembled on the computer under the name “qwveqwveqw.exe,” which is most likely random, and a new registry entry for persistence is created.
The EXE file producing communication to a command-and-control server at 193.106.191[.]162, even after the system reboots, is clear and persistent evidence of the infection, resuming the infection process on the compromised machine. One thing to keep in mind is that META uses PowerShell to tell Windows Defender to ignore.exe files to protect its files from detection. If you’d like to go further into the malicious traffic specifics for detection or curiosity, Duncan has made the PCAP of the infected traffic available here.