META Infostealer

The META Infolstealer is a new, threatening strain that has been gaining traction among cybercriminals. The malware threat is part of the wave of harmful creations aimed at filling the vacuum left after the operators of Raccoon Stealer stopped their activities. As a result, many hackers and hacker organizations began looking around for their next attack platform, and it seems that the META Infostealer has managed to meet most of their needs. So far, access to the malware can be obtained for a monthly subscription of $125 or a single lifetime payment of $1000.

The threat is being advertised as a more potent and improved version of RedLine. It can obtain sensitive information from infected devices, such as login credentials and passwords stored in some of the most popular Web browsers, such as Chrome, Firefox and Edge. In addition, the attackers can leverage the META Infostealer to compromise the victim's cryptocurrency wallets.

The Attack Chain

The security expert and ISC Handler Brad Duncan uncovered an active campaign designed to deploy the META Infostealer. The threat actors employ the tried and through infection vector of disseminating spam emails with poisoned file attachments. These lure emails could contain completely fabricated claims about fund transfers or other seemingly urgent events that need immediate attention from the user. To see information about the supposed issue, victims are directed to open the attached file, which is a macro-laced Excel spreadsheet. To appear more legitimate, the file carries a DocuSign logo and instructs users to 'enable content,' a needed step for the execution of a corrupted VBS macro.

When the script is initiated, it will fetch and deliver to the user's device several payloads consisting of multiple DLLs and executables. The files are retrieved from different websites, such as GitHub. To avoid being detected by security applications, the dropped files may be base64 encoded or have their bytes reversed. The final payload will be created on the device as a file named 'qwveqwveqw.exe.' The chosen name is likely to be generated at random. A new Registry key will be injected and act as a persistence mechanism. As part of its actions, the threat also will use PowerShell commands to force Windows Defender to stop scanning the .exe files on the system. A clear sign of the presence of the META Infostealer is the continuous traffic between its payload .exe file and the operations Command-and-Control server.