April 19, 2022

MetaStealer Malware

Industry: N/A | Level: Tactical | Source: ISC.SANS

New information-stealing malware, META has been gaining popularity amongst cybercriminals. Research from SANS and BleepingComputer shares the malware has been distributed through malspam campaigns. Sample submissions to VirusTotal for the malware have been rising, as since March 30th, 2022 there have been at least 16 samples submitted. Web traffic for the malware has been identified as  utilizing GitHub and a transfer[.]sh URL to host malicious binaries. After the initial infection, a reboot for persistence only utilized transfer[.]sh. Based on the listing for the malware on underground forums has described the malware as “an improved version of RedLine.” Information targeted by the malware for theft includes credentials from browsers and cryptocurrency wallets.

  • Anvilogic Scenario: MetaStealer – Malspam Infection Chain
  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • Malicious Document Execution
    • Wscript/Cscript Execution
    • Git Repository Accessed
    • Executable File Written to Disk
    • New AutoRun Registry Key
    • Add DLL/EXE Registry Value
    • Suspicious File written to Disk
    • Command and Control Beaconing via WEB