Windows MetaStealer Malware
Introduction
- Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal.
- These malicious Excel files are distributed as email attachments.
- Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset.
- This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.
- The malware abuses legitimate services by Github and transfer.sh to host these data binaries.
- All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.
Shown above: Flow chart for the MetaStealer infection chain reviewed in today's diary.
Images from an infection
Shown above: Screenshot from an email distributing the malicious Excel file.
Shown above: Screenshot of the malicious Excel file.
Shown above: Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.
Shown above: Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.
Shown above: UAC alert generated by malicious EXE during the infection.
Shown above: Malicious EXE file generated during the infection.
Shown above: Malicious EXE persistent on the infected Windows host.
Indicators of Compromise (IOCs)
Traffic generated after enabling Excel macro:
- hxxps://github[.]com/michel15P/1/raw/main/notice.zip
- hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
- Note: File returned from the above URL is a data binary and not a zip archive
Traffic generated by persistent EXE created from the above binary:
- port 80 - transfer[.]sh - GET /get/qT523D/Wlniornez_Dablvtrq.bmp
- port 443 - hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp
- 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /avast_update
- 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /api/client/new
- 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - POST /tasks/get_worker
Alerts on traffic to 193.106.191[.]162 over TCP port 1775:
- ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
- ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363
Associated malware and artifacts:
SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e
- File size: 88,069 bytes
- File name: transfer_info2460.xls
- File description: Example of email attachment, an Excel file with macro for malware
- Sandbox analysis: https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca
SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc
- File size: 2,828 bytes
- File name: open.vbs
- File location: same directory as the above Excel file or the user's AppData/Local/Temp directory
- File description: After enabling macro, this VBS file is used to create the persistent EXE
- Note: I could not find this file on my infected lab host
SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5
- File size: 417,512 bytes
- File location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
- File type: data
- File description: data binary retrieved by open.vbs used to persistent EXE (below)
SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
- File size: 367,001,600 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\notice.exe
- File location: C:\Users\[username]\AppData\Roaming\qwveqwveqw.exe
- File description: Malware EXE persistent on the infected Windows host
- Note: This binary is appended with more than 366 MB of zero byte filler
- Note: Persistent through "Shell" value at HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b
- File size: 143,400 bytes
- File description: Persistent malware EXE with most of the zero byte filler removed
SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b
- File size: 716,288 bytes
- File location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp
- File type: data
- File description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order
SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87
- File size: 716,288 bytes
- File description: Windows DLL file created by reserving the above binary
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Run method: loaded/run by persistent EXE
SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89
- File size: 2,182,488 bytes
- File location: hxxp://193.106.191[.]162:1775/avast_update
- File description: base64 text representing a Windows DLL file
SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738
- File size: 1,636,864 bytes
- File description: Windows DLL file converted from the above text
- File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Run method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE
Final words
Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL and re-started the infection process without the Github traffic.
Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30. ETPRO signatures identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.
My thanks to Security Onion, Proofpoint's EmergingThreats team, and Didier Stevens' tools for reversing binaries. These three resources were a big help in my analysis for this diary.
A pcap of the infection traffic and the associated malware/artifacts can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago