The META malware spam campaign spreads an infostealer that is becoming a trend among threat groups on the dark web. The currently prevalent infostealer malware is trying to replace the operation left by the Raccoon Stealer, who had recently shut down.
Based on reports, the malware was first seen last March by researchers and indicated that its developers offer the infostealer to any users for a low price of $125 per monthly usage.
On the other hand, actors who want to use the malware permanently can pay a thousand dollars to avail of the lifetime subscription. The developers also endorse their infostealer as a better version of the well-known RedLine malware.
The researchers monitored a spam campaign in which an unknown threat actor used the META malware and deployed it to steal passwords stored in browsers such as Google Chrome, Microsoft Edge, and Firefox. Additionally, the threat actors also utilised malware to exfiltrate cryptocurrency wallets.
Experts claimed that META compromises Windows Defender by abusing a PowerShell command to remove [.]exe files from the list of things that need to be scanned by the security solution.
The META malware used Excel spreadsheets as a vector for intrusions.
The infection chain in the current META malware spam attacks includes a standard method of a macro-laden Microsoft Excel spreadsheet sent to targeted inboxes as an email attachment.
The body inside the emails creates fake fund transfer claims that are not well-constructed or convincing. Unfortunately, it is working efficiently since recently sizeable victims have recently emerged.
The spreadsheet documents have a DocuSign bait instructing the target to allow the contents required to operate the compromised VBS macro. The macro will then download several payloads such as DLLs and executables from multiple websites like GitHub.
The threat actors will then launch the last payload on the device under the code written as qwveqwveqw[.]exe, which appears to be a random registry key.
Numerous threat groups have attempted to fill the gap in the dark web marketplaces by endorsing their malware variants since the Raccoon Stealer exited the cybercriminal scene. Users should always safeguard their critical data and essential information by employing proper encryption and access controls.
