Independent security researcher and ISC handler Brad Duncan noticed a malware spam campaign spreading META malware, a novel info-stealer quickly gaining popularity among cybercriminals.
The META malware strain has been used in attacks to steal cryptocurrency assets and passwords stored in web browsers such as Firefox, Chrome, and Edge. Marketers promote it as an improved version of Redline. The META info-stealer is sold on cybercrime marketplaces at $125 for monthly subscribers and $1,000 for unlimited lifetime use.
In this campaign, the threat actors employ a standard modus operandi of sending Excel spreadsheet files laced with malware macros as email attachments to their targets’ inboxes. The email message usually mentions fund transfers to trick users into downloading and opening the attachment on their devices.
Once opened, the document prompts targets with a DocuSign message meant to deceive them to “enable content” so the malicious VBS macro can start running in the background.
The macro then retrieves several payloads such as executables and DLLs from various websites, including GitHub. To dodge security software, threat actors encode the payloads in base64 or reverse their bytes, according to Duncan’s report.
Once the script retrieves all needed files, it reassembles them into a final payload named "qwveqwveqw.exe," and creates a new registry key to achieve persistence. The name of the final payload is allegedly created at random.
The researcher also noticed that the executable generates traffic to a C2 and keeps doing so even after a system reboot by restarting the executable. Furthermore, the META malware uses PowerShell to modify certain settings in Windows Defender to exclude EXE files from scanning and avoid detection.