Cybercriminals typically use information stealers to steal login credentials
(e.g., usernames and passwords), credit card information, social security
numbers, ID card information, and so on. Their goal is to take over online
accounts, steal identities, and conduct unauthorized transactions and
purchases.
Information thieves can collect keystrokes (record keyboard input), exfiltrate
data from browsers, steal clipboard data, two-factor authentication data,
cryptocurrency wallet information, system information, and other data.
The range of data collected is determined by the information stealer’s
capabilities. There are both simple and sophisticated thieves.
Meta malspam
Brand Duncan, an independent analyst, has discovered a malspam campaign
delivering META, a new information stealer malware.
The Meta malspam seen by security researcher and ISC Handler Brad Duncan is
proof that META is actively used in attacks, being deployed to steal passwords
stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets.
The infection chain in the particular campaign follows the "standard" approach
of a macro-laced Excel spreadsheet arriving in prospective victims' inboxes as
email attachments.
When the malicious script runs, it will download various payloads, including
DLLs and executables, from multiple sites, such as GitHub.
Some of the downloaded files are base64 encoded or have their bytes reversed
to bypass detection by security software. For example, below is one of the
samples collected by Duncan that has its bytes reversed in the original
download.
Eventually, the final payload is assembled on the machine under the name
"qwveqwveqw.exe," which is likely random, and a new registry key is added
for persistence.
A clear and persistent sign of the infection is the EXE file generating
traffic to a command and control server at 193.106.191[.]162, even after
the system reboots, restarting the infection process on the compromised
machine.
One thing to note is that META modifies Windows Defender via PowerShell to
exclude .exe files from scanning, to protect its files from detection.
If you'd like to dive deeper into the malicious traffic details for
detection purposes or curiosity, Duncan has published the PCAP of the
infection traffic
here.
