New Metastealer Malvertising Campaigns

MetaStealer is a popular piece of malware that came out in 2022, levering previous code base from RedLine. Stealers have become a very hot commodity in the criminal space, so much so that there is competition between various groups.

Threat actors have primarily used malspam as an infection vector to drop MetaStealer as well as cracked software via stolen YouTube accounts, but it was at least once previously seen in a malvertising campaign.

In the past week, we observed some malicious ads that weren’t dropping FakeBat or PikaBot, but rather a different payload that we recognized as MetaStealer. Interestingly, in early December, the malware authors behind MetaStealer gave an interview and announced that they were about to release a new and improved version of their tool.

Distribution

We captured two different ads for Notepad++ and AnyDesk via Google searches:

image 11

According to the Google Ads Transparency Center, one of the campaigns ran in November and December, during specific dates:

image 16

Two domains have been setup as both decoy and landing pages. If you were to browse to those sites directly, you would see content that looks like it was generated automatically. Note how the two pages have a similar template.

image 12

However, users that clicked on the ads and met the selection criteria will get a malicious landing page and a download link:

image 13

Payload

The November payload contained a shortcut launching PowerShell that used a hardcoded path to the Downloads folder (would fail if the file was extracted in another directory):

image 20

The December campaign got rid of the PowerShell and the malicious DLL was recompiled:

image 21

Based on network traffic activity alone, it appears that both payloads are still the MetaStealer from the 3.x branch:

image 22

For an in-depth look at MetaStealer, check out this article by Russian Panda.

Conclusion

The developers of MetaStealer are improving their product and we are likely to see more of their customers distributing it. Stealers can serve multiple purposes but tend to revolve around items that criminals can easily monetize. Crypto wallets are usually quite coveted, but so are credentials for various online services. And finally, stealers can also be used by initial access brokers, paving the path for ransomware actors.

We have reported the malicious ads to Google and have already blocked the infrastructure behind these campaigns.

ThreatDown, powered by Malwarebytes, detects this threat as Trojan.MetaStealer.Generic. The Endpoint Detection and Response (EDR) can also see the process activity tied to this attack:

c8b41aa3983fdf407ff07ded5e6cbac6720bdeda54716a888feccd07d6e617b8

Additionally, the newly released Incident Timeline feature can alert you of an active intrusion attempt which our Managed Detection and Response team can assist you with.

image 23

Indicators of Compromise

Malicious domains

rawnotepad[.]com
startworkremotely[.]com

Payload URLs

rawnotepad[.]com/notepad++.zip
startworkremotely[.]com/Anydesk.zip

Payload hashes

949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca
99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb
c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f

MetaStealer C2s

wgcuwcgociewewoo[.]xyz
ockimqekmwecocug[.]xyz
kiqewcsyeyaeusag[.]xyz
cewgwsyookogmmki[.]xyz
startworkremotely[.]com
csyeywqwyikqaiim[.]xyz
iqaeaoeueeqouweo[.]xyz
mmswgeewswyyywqk[.]xyz
accounts[.]google[.]com
iqwgwsigmigiqgoa[.]xyz

Original Source

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.