There’s a new information stealer on the rise, and security researchers say that it is currently being distributed in malspam campaigns. In other words, the so-called META infostealer is delivered via malicious spam in email messages (attachments). Since the infamous Raccoon infostealer is no longer a player, other infostealers are fighting to take its place.
META Infostealer: What Is Known So Far?
Cybersecurity researchers report that the malicious tool is being offered for $125 a month, or $1,000 for unlimited lifetime use. It is being promoted as an improved version of RedLine, an info- stealing malware family that emerged amidst the Covid-19 pandemic.
The new malspam campaign has been detected by security researcher Brad Duncan, who says that it is being actively used in attacks to steal passwords stored in Chrome, Edge, and Firefox browsers. The META infostealer is also interested in harvesting passwords for cryptocurrency wallets.
Since malicious spam usually relies on malicious macros in documents, this one is not an exception as well. The malware uses macro-laced Excel documents sent as email attachments. Even though the current campaign is not exceptionally clever or written in a convincing manner, it still can be efficient, as many users tend to miss the red flags and regularly open suspicious attachments.
To appear more convincing, the malicious Excel file uses a DocuSign lure to push the potential victim into enabling content required to run the malicious macro. Once the script is initiated, it downloads various payloads, such as DDLs and executables, from multiple directions. Some of the downloaded files are encoded with base64 or have their bytes reversed. This is done to evade detection by security vendors.
The final payload uses qwveqwveqw.exe as a name, but researchers note that the name could be randomly generated. A new registry key is also added for persistence. Another capability of META inforstealer is modifying Window Defender using PowerShell to exclude .exe files from scanning. This is also done to protect against detection.
Other Infostealer on the Loose, too
CryptBot is another recent inforstealer distributed with the help of pirated software websites that offer free downloads for cracked games and pro-grade software.
Cryptbot has been described as “a typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system.” Stolen details are bundled into zip-files and uploaded to the command-and-control server.
We advise our readers to be extra vigilant when downloading software from the web, or opening unsuspected email messages. As seen in the above examples, these are popular distribution channels of trojans and infostealers.