Detect META Information Stealer

A new info-stealer malware follows in the footsteps of Mars Stealer and BlackGuard. The malware is available for $125 per month or $1,000 for a lifetime subscription. On darknet markets, META Stealer is advertised as an upgrade of RedLine Stealer, which was first revealed in 2020.

META Information Stealer Detection

To protect your company infrastructure from possible META Stealer attacks, you can download a Sigma rule developed by our seasoned Threat Bounty developer Kaan Yeniyol, who never misses a trick.

Suspicious MetaStealer Malware (April 2022) Persistence by Detection of Registry Key (via registry_event).

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, Carbon Black, ArcSight, QRadar, Devo, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Open Distro, and Securonix. 

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Modify Registry as the main technique (T1112).

SOC Prime urges security professionals to unite against Russia-backed сyber-attacks that accompany military aggression against Ukraine. SOC Prime’s Quick Hunt module enables efficient web search through an extensive collection of threat hunting content associated with Russian aggression with the following tags #stopwar, #stoprussian, and #stoprussianagression. The dedicated threat hunting queries are available to search for the above-referenced threats for FREE via the link below:

Full collection of hunting content to detect Russia-originated threats

Eager to connect with the industry leaders and develop your own content? Join SOC Prime’s crowdsourcing initiative as a content contributor and share your own Sigma and YARA rules with the global cybersecurity community while building collaborative cyber defense worldwide.

View Detections Join Threat Bounty

META Information Stealer Analysis

A novel info-stealer malware strain was documented by security researcher and ISC Handler Brad Duncan in early April. META Stealer is gathering pace, winning popularity amongst hackers who are after users’ sensitive information. According to Duncan’s thorough research, adversaries deploy META information stealer to get hold of infected systems’ passwords stored in web browsers such as Firefox, Chrome, and Edge, as well as crack cryptocurrency wallets. The first stage of the kill chain is characterized by distributing a macro-laced Excel spreadsheet through phishing emails. The lure is built on the sham fund transfer, urging victims to open an infected email attachment. If all the required steps are followed, VBS macro is enabled in the background. Then follows the download of malicious payloads, including DLLs and executables from various trustworthy domains.

Even after the system reboots, the EXE file communicates with a command-and-control server at 193.106.191[.]162. The process signifies malware persistence, resuming the infection process on the compromised machine.

Security professionals should account for the fact that META information stealer modifies Windows Defender via PowerShell to exclude .exe files from scanning, thus avoiding detection. To efficiently stand up to stealthy malware, join forces with SOC Prime’s Detection as Code platform. The platform enables fast and efficient advancement of your threat detection capabilities, boosted by the power of global cybersecurity expertise. Looking for ways to contribute your own detection content and drive collaborative cyber defense? Join SOC Prime’s crowdsourcing initiative to share your Sigma and YARA rules with the community, contribute to a safer cyberspace, and receive recurring rewards for your content!

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts