Cybersecurity researcher Brad Duncan has discovered a malicious campaign to distribute a new infostiler called META software. The popularity of new malware for information theft is growing among cybercriminals.
META is one of the new information thieves, along with Mars Stealer and BlackGuard. The operators of the latter decided to take advantage of the withdrawal of Raccoon Stealer from the market, which forced many criminals to look for a new platform.
The META tool sells for $125 for a monthly subscription or $1,000 for unlimited lifetime use and is advertised as an improved version of RedLine.
A new spam campaign indicates that META is actively used in attacks to steal cryptocurrency wallets and passwords stored in Google Chrome, Microsoft Edge and Mozilla Firefox browsers.
The scammers resorted to the “standard” approach, sending emails with Microsoft Excel spreadsheets with macros. The messages contain false and not very plausible statements about the transfer of funds of a potential victim. Spreadsheet files contain a DocuSign bait that prompts the target to “include the content” needed to run a malicious VBS macro in the background.
When the malicious script is run, it downloads various useful data, including DLL libraries and executable files, from several sites, including GitHub. Some of the downloaded files are base64 encoded in order to avoid detection by security software.
On the victim’s computer system, a final payload called qwveqwveqw.exe , which is presumably random. In order to ensure persistence, a new registry key is also added.
The EXE file generates traffic to the command server even after restarting the system, restarting the infection process on the device. META modifies Windows Defender configurations via PowerShell, excluding executable files from the scan list.