Windows MetaStealer Malware

Published: 2022-04-06
Last Updated: 2022-04-06 03:50:00 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

  • Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal.
  • These malicious Excel files are distributed as email attachments.
  • Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset.
  • This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.
  • The malware abuses legitimate services by Github and transfer.sh to host these data binaries.
  • All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.


Shown above:  Flow chart for the MetaStealer infection chain reviewed in today's diary.

Images from an infection


Shown above:  Screenshot from an email distributing the malicious Excel file.


Shown above:  Screenshot of the malicious Excel file.


Shown above:  Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.


Shown above:  Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.


Shown above:  UAC alert generated by malicious EXE during the infection.


Shown above:  Malicious EXE file generated during the infection.


Shown above:  Malicious EXE persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Traffic generated after enabling Excel macro:

  • hxxps://github[.]com/michel15P/1/raw/main/notice.zip
  • hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
  • Note: File returned from the above URL is a data binary and not a zip archive

Traffic generated by persistent EXE created from the above binary:

  • port 80 - transfer[.]sh - GET /get/qT523D/Wlniornez_Dablvtrq.bmp              
  • port 443 - hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp                                                  
  • 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /avast_update                                    
  • 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /api/client/new                                 
  • 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - POST /tasks/get_worker

Alerts on traffic to 193.106.191[.]162 over TCP port 1775:

  • ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
  • ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363

Associated malware and artifacts:

SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e

SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc

  • File size: 2,828 bytes
  • File name: open.vbs
  • File location: same directory as the above Excel file or the user's AppData/Local/Temp directory
  • File description: After enabling macro, this VBS file is used to create the persistent EXE
  • Note: I could not find this file on my infected lab host

SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5

  • File size: 417,512 bytes
  • File location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
  • File type: data
  • File description: data binary retrieved by open.vbs used to persistent EXE (below)

SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d

  • File size: 367,001,600 bytes
  • File location: C:\Users\[username]\AppData\Local\Temp\notice.exe
  • File location: C:\Users\[username]\AppData\Roaming\qwveqwveqw.exe
  • File description: Malware EXE persistent on the infected Windows host
  • Note: This binary is appended with more than 366 MB of zero byte filler
  • Note: Persistent through "Shell" value at HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b

  • File size: 143,400 bytes
  • File description: Persistent malware EXE with most of the zero byte filler removed

SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b

  • File size: 716,288 bytes
  • File location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp
  • File type: data
  • File description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order

SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87

  • File size: 716,288 bytes
  • File description: Windows DLL file created by reserving the above binary
  • File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
  • Run method: loaded/run by persistent EXE

SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89

  • File size: 2,182,488 bytes
  • File location: hxxp://193.106.191[.]162:1775/avast_update
  • File description: base64 text representing a Windows DLL file

SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738

  • File size: 1,636,864 bytes
  • File description: Windows DLL file converted from the above text
  • File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • Run method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE

Final words

Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL and re-started the infection process without the Github traffic.

Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30.  ETPRO signatures identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.

My thanks to Security Onion, Proofpoint's EmergingThreats team, and Didier Stevens' tools for reversing binaries. These three resources were a big help in my analysis for this diary.

A pcap of the infection traffic and the associated malware/artifacts can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)
ISC Stormcast For Wednesday, April 6th, 2022 https://isc.sans.edu/podcastdetail.html?id=7952

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives