December 5, 2023

Researchers have identified a new campaign that looks dispensing the novel META malware in scattered manner., META is an infostealer malware, which can harvest passwords and other login data from browsers, as well as from cryptocurrency wallets.

The distribution campaign is nothing out of the ordinary, with threat actors opting for emails and macro-heavy Excel files. The emails are usually a notification about fund transfers, with details found on the link attached to the email.


The link leads to DocuSign, a well-known digital signature service provider, where users are invited to download the Excel file and urged to enable content  which enables malicious macros that tend to fool the victims

The macro will then download multiple payloads, hosted on GitHub. The final payload, once assembled, will be visible on the compromised endpoint under qwveqwveqw.exe. It will also have a registry key, for persistence.

META is found to modify Windows Defender via PowerShell, to exclude .exe files from being scanned by antivirus software.

META is one of a couple of new infostealer which are trying to fill the void after Racoon Stealer disaqppear3ed. It’s being sold online for a monthly subscription of $125. Those interested in unlimited, lifetime use, will have to shell out $1,000. META is built upon Redline Stealer, another hugely popular infostealer.

Redline Stealer is often used to steal passwords stored in people’s browsers and is usually sold online for roughly $150 – $200. As email is the most popular distribution method, security experts are warning users to be extra careful when accepting attachments from emails or clicking on links.


Indicators of Compromise (IOCs)

  • 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e
  • 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc
  • 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5
  • f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
  • 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b
  • fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b
  • bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87
  • cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89
  • 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.