Security researchers have identified a new, ongoing campaign which looks to distribute the novel META malware to as many endpoints as possible.
META is an infostealer malware, which can harvest passwords and other login data from browsers, as well as from cryptocurrency wallets.
The distribution campaign is nothing out of the ordinary, with threat actors opting for emails and macro-heavy Excel files. The emails are usually a “notification” about fund transfers, with “details” found on the link attached to the email.
The link leads to DocuSign, a well-known digital signature service provider, where users are invited to download the Excel file and urged to “enable content” which, instead, enables malicious macros.
The macro will then download multiple payloads, some being hosted on GitHub, as well. The final payload, once assembled, will be visible on the compromised endpoint under “qwveqwveqw.exe”. It will also have added a registry key, for persistence.
Another problem is that META will modify Windows Defender, via PowerShell, to exclude .exe files from being scanned by antivirus software so that particular line of defense is not effective against META.
According to BleepingComputer, META is one of a couple of new infostealers which are being sold on the dark web for a monthly subscription of $125. Those interested in unlimited, lifetime use, will have to shell out $1,000.
META is built upon RedLine Stealer, another hugely popular infostealer. RedLine Stealer is often used to steal passwords stored in people’s browsers, and is usually sold on the dark web for roughly $150 – $200.
Remember: Email is the most popular distribution method. Protect yourself, your team and your family by being extra careful when receiving emails with attachments. If you don’t know the person or are not expecting an email with an attachment – either simply delete the email without opening the attachment or by calling the sender to verify that they actually sent you the email. Keep in mind that the sender’s email may have been taken over by a cyber-criminal.
© Provided by TechRadar
