1 min read

Malware Spam Campaign Found Spreading New META Information Stealer

Vlad CONSTANTINESCU

April 11, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Malware Spam Campaign Found Spreading New META Information Stealer

Independent security researcher and ISC handler Brad Duncan noticed a malware spam campaign spreading META malware, a novel info-stealer quickly gaining popularity among cybercriminals.

The META malware strain has been used in attacks to steal cryptocurrency assets and passwords stored in web browsers such as Firefox, Chrome, and Edge. Marketers promote it as an improved version of Redline. The META info-stealer is sold on cybercrime marketplaces at $125 for monthly subscribers and $1,000 for unlimited lifetime use.

In this campaign, the threat actors employ a standard modus operandi of sending Excel spreadsheet files laced with malware macros as email attachments to their targets’ inboxes. The email message usually mentions fund transfers to trick users into downloading and opening the attachment on their devices.

Once opened, the document prompts targets with a DocuSign message meant to deceive them to “enable content” so the malicious VBS macro can start running in the background.

The macro then retrieves several payloads such as executables and DLLs from various websites, including GitHub. To dodge security software, threat actors encode the payloads in base64 or reverse their bytes, according to Duncan’s report.

Once the script retrieves all needed files, it reassembles them into a final payload named "qwveqwveqw.exe," and creates a new registry key to achieve persistence. The name of the final payload is allegedly created at random.

The researcher also noticed that the executable generates traffic to a C2 and keeps doing so even after a system reboot by restarting the executable. Furthermore, the META malware uses PowerShell to modify certain settings in Windows Defender to exclude EXE files from scanning and avoid detection.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Authorities Dismantle iSpoof Criminal Phone Spoofing Operation, Arresting 142 Authorities Dismantle iSpoof Criminal Phone Spoofing Operation, Arresting 142
Vlad CONSTANTINESCU

November 25, 2022

1 min read
975 Arrested by Interpol Over Phishing, Romance Scams, Sextortion and Investment Fraud 975 Arrested by Interpol Over Phishing, Romance Scams, Sextortion and Investment Fraud
Filip TRUȚĂ

November 25, 2022

2 min read
How SIM Swapping Attacks Work and How to Protect Yourself How SIM Swapping Attacks Work and How to Protect Yourself
Filip TRUȚĂ

November 25, 2022

3 min read