{"id":7271,"date":"2022-04-12T15:09:51","date_gmt":"2022-04-12T15:09:51","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=7271"},"modified":"2024-05-30T17:36:23","modified_gmt":"2024-05-30T17:36:23","slug":"meta-infostealer-malware","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/meta-infostealer-malware\/","title":{"rendered":"Meta Infostealer Malware Spread via Spam"},"content":{"rendered":"

Meta<\/strong>, a newly crafted information-stealing malware, is distributed via a vast spam spree<\/strong>. The mechanism of the stealer injection within this campaign is already well-known. However, Meta is now a mainstream tool among hackers. Therefore, further attacks featuring this software but with different scenarios are inevitable. This article explains how the current malspam scheme works. We also share the story behind the info stealer.<\/p>\n

READ ALSO<\/strong>: Spyware vs. Infostealer – what’s the difference<\/a>?<\/p>\n

The information provided within the current article, including the images, is courtesy of Brad Duncan<\/a>, an independent cybersecurity analyst, the man behind the malware-traffic-analysis.net<\/a> blog.<\/p>\n

\"Meta<\/a><\/p>\n

Spam Campaign details<\/h2>\n

The Meta infostealer malware gets into the victim’s computer. It begins with an email with an attachment<\/strong>. Already a stay-away thing for the experienced ones, but someone might still buy into that. The bait is classic: you have received payment, and there is a little paperwork to be done before getting your money.<\/p>\n

\"Meta<\/a>
This is a Meta Stealer Infection Scheme provided by Brad Duncan. Source: isc.sans.edu<\/figcaption><\/figure>\n

After the user downloads the attachment (an excel table within the current campaign,) the file will, just as expected, request allowance to execute macros<\/strong>. The sheets file features a DocuSign image to be more persuasive, although it is unnecessary since it is already downloaded. If the victim consents, enabled scripts (VBS) start downloading stuff from several sources.<\/p>\n

\"Request<\/a>
The attached excel file with a DocuSign seal asks for macros allowance. Source: isc.sans.edu<\/figcaption><\/figure>\n

The downloaded payload gets encoded with base64 (schemes presenting binary data as text) or undergoes byte reversal. Both methods increase the malware’s chances of passing undetected by antivirus programs. The fetched content constitutes *.dll and *.exe files.<\/p>\n

\"Reversed<\/a>
You can see the reversed byte order in the downloaded DLL. Source: isc.sans.edu<\/figcaption><\/figure>\n

The hacker’s plan succeeds as a malicious executable gets assembled on the victim’s computer, and it starts sending data to the server with 193[.]106[.]191[.]162 address. The file name is ‘qwveqwveqw,’ and it even gets itself a system registry entry. Meta steals passwords<\/strong> for cryptocurrency wallets and web browsers, namely Chrome, Firefox, and Edge. By the way, Meta alters PowerShell and Windows Security settings, excluding *.exe files from antivirus examination.<\/p>\n

\"Meta<\/a>
Meta-generated traffic. Source: isc.sans.edu<\/figcaption><\/figure>\n

Brief information on Meta malware<\/h2>\n

The hacker community quickly reacted to the suspension of Raccoon Stealer<\/strong> malware. Its operators stopped selling and supporting the tool as one of the developers became a victim of the war in Ukraine. Meta, advertised as the successor of RedLine, is one of several stealers that arrived to occupy the vacant niche. Its monthly price on the 2Easy<\/strong> botnet marketplace is $125 and a lifetime subscription costs $1000. For a more thorough analysis of the Meta malware, consider reading the original report<\/a> by Brad Duncan on the Internet Storm Center security forum.<\/p>\n

RELATED<\/strong>: Why is the 2easy trading platform<\/a> gaining popularity?<\/p>\n","protected":false},"excerpt":{"rendered":"

Meta, a newly crafted information-stealing malware, is distributed via a vast spam spree. The mechanism of the stealer injection within this campaign is already well-known. However, Meta is now a mainstream tool among hackers. Therefore, further attacks featuring this software but with different scenarios are inevitable. This article explains how the current malspam scheme works. […]<\/p>\n","protected":false},"author":7,"featured_media":7275,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[28,448,51,10,48,1360],"class_list":{"0":"post-7271","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-malware","9":"tag-meta","10":"tag-personal-information","11":"tag-spam","12":"tag-spyware","13":"tag-stealer"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/04\/METAFI.jpg","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/7271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=7271"}],"version-history":[{"count":15,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/7271\/revisions"}],"predecessor-version":[{"id":11663,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/7271\/revisions\/11663"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/7275"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=7271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=7271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=7271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}