META malspam Has been found by an independent analyst

Cybercriminals typically use information stealers to steal login credentials (e.g., usernames and passwords), credit card information, social security numbers, ID card information, and so on. Their goal is to take over online accounts, steal identities, and conduct unauthorized transactions and purchases.

Information thieves can collect keystrokes (record keyboard input), exfiltrate data from browsers, steal clipboard data, two-factor authentication data, cryptocurrency wallet information, system information, and other data.

The range of data collected is determined by the information stealer’s capabilities. There are both simple and sophisticated thieves.

Meta malspam

Brand Duncan, an independent analyst, has discovered a malspam campaign delivering META, a new information stealer malware.

The Meta malspam seen by security researcher and ISC Handler Brad Duncan is proof that META is actively used in attacks, being deployed to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets.

The infection chain in the particular campaign follows the "standard" approach of a macro-laced Excel spreadsheet arriving in prospective victims' inboxes as email attachments.

When the malicious script runs, it will download various payloads, including DLLs and executables, from multiple sites, such as GitHub.

Some of the downloaded files are base64 encoded or have their bytes reversed to bypass detection by security software. For example, below is one of the samples collected by Duncan that has its bytes reversed in the original download.

Eventually, the final payload is assembled on the machine under the name "qwveqwveqw.exe," which is likely random, and a new registry key is added for persistence.

A clear and persistent sign of the infection is the EXE file generating traffic to a command and control server at 193.106.191[.]162, even after the system reboots, restarting the infection process on the compromised machine.

One thing to note is that META modifies Windows Defender via PowerShell to exclude .exe files from scanning, to protect its files from detection.

If you'd like to dive deeper into the malicious traffic details for detection purposes or curiosity, Duncan has published the PCAP of the infection traffic here.