Meh Malware Description
The Meh Malware is a password stealer and a keylogger mainly, but its threatening capabilities spread far beyond that and encompass a whole range of functions. The malware consists of two parts - a cryptor named MehCrypter and the actual core of the threat named Meh.
The cryptor component goes through several stages designed to deliver and obfuscate Meh Malware's attack chain's initial steps. It first initiates a dropper that downloads three additional files from the Command-and-Control servers through HTTP POST requests. The files are pe.bin, base.au3, and autoit.exe, and all three are saved to the C:\testintel2\directory. The main Meh binary is contained in the pe.bin binary, decrypted by the third stager step of MehCrypter's operations.
When fully deployed, Meh Malware gives the threat actors near-complete control over the compromised system. It can obtain clipboard content, conduct keylogging, collect cryptocurrency wallets, drop additional files through torrent clients, deploy and execute an XMRig cryptomining malware and more. The Meh Malware also comes with a versatile Remote Access Trojan (RAT) module that recognizes and performs around 45 different commands. Almost all of the different functionalities of Meh Malware are performed by subthreads, which are executed by making injections to legitimate Windows processes.
The second segment is a password stealer, called Meh. The stealer is the center of the threat and carries many functionalities. The stealer is capable of downloading additional files via torrents, collecting clipboard contents, keylogging, collecting cryptocurrency wallets, and a lot more. Almost all of its functionalities are performed in subthreads, executed from injected processes. The main threads observed in Meh Malware are:
- Injection thread
- Installation and persistence thread
- Anti-AV check thread
- Cryptomining thread
- Torrent download thread
- Clipboard stealing and keylogging thread
- Crypto wallets stealing thread
- Advertisement fraud thread
As the first threads' names indicate, the Meh Malware performs several actions facilitating its establishment on the compromised system. The threat creates a persistence mechanism and performs checks for the presence of several anti-malware solutions.
The main core of Meh Malware's activity is to harvest and exfiltrate various data. Apart from the usual infostealer functions such as keylogging and intercepting clipboard content, the threat also targets cryptocurrency wallets for Bitcoin, Electrum, Electrum-LTC, ElectronCash, Litecoin, Jax and Exodus. And if that wasn't enough, by receiving the appropriate parameters, the threat can also conduct an advertisement fraud by initiating forcing clicks on arbitrary ad pages.
The Meh Malware's already extensive capabilities are further boosted through the presence of a RAT module. Through it, the hackers can manipulate the file system, harvest browser passwords, and cookies, manage the cryptomining activity, and deliver additional cryptominers, use the command line, etc. One particular command sees the RAT module deleting the shadow copies created by the Windows system, indicating a potential ransomware threat being incorporated into the Meh Malware at some future point.