A malspam campaign is spreading an infostealer that is becoming popular among cybercriminals. Named META, the stealer attempts to fill the void left by the exit of Raccoon Stealer.
The META malware
- The stealer is being sold at a price tag of $125 for monthly subscribers. Alternatively, buyers have the option to pay $1,000 for unlimited lifetime use, and it is advertised as an improved version of RedLine.
- Now, a researcher observed a spam campaign in which META is actively being used. It was deployed to steal passwords saved in Firefox, Chrome, and Edge, along with cryptocurrency wallets.
META tampers with Windows Defender using PowerShell to exclude .exe files from scanning to avoid detection.
The infection chain
The infection chain in the recent malspam campaign includes a basic approach of a macro-laced Excel spreadsheet that is sent to prospective victims' inboxes as email attachments.
- The messages inside the email make fake claims of fund transfers that are not quite convincing or well-crafted. However, it appears to be working effectively against a notable percentage of recipients.
- The spreadsheet files include a DocuSign lure that prompts the target to enable content needed to run the malicious VBS macro in the background.
- The macro downloads various payloads including DLLs and executables from various sites, such as GitHub. Some downloaded files are base64 encoded or their bytes are reversed to bypass detection.
- At last, the final payload is deployed on the machine under the name qwveqwveqw[.]exe, which seems to be random and a new registry key is added for persistence.
Conclusion
After the exit of Raccoon Stealer, several cybercriminals are hoping to fill the gap by pushing in their malware variants. Thus, users should stay cautious, and always protect their sensitive information with proper encryption and access controls.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/9a35_shutterstock_2038946582.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7e27_shutterstock_792842674.jpg)
