Windows MetaStealer Malware

Published: 2022-04-06. Last Updated: 2024-05-07 05:42:36 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

  • Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal.
  • These malicious Excel files are distributed as email attachments.
  • Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset.
  • This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.
  • The malware abuses legitimate services by Github and transfer.sh to host these data binaries.
  • All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.


Shown above:  Flow chart for the MetaStealer infection chain reviewed in today's diary.

Images from an infection


Shown above:  Screenshot from an email distributing the malicious Excel file.


Shown above:  Screenshot of the malicious Excel file.


Shown above:  Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.


Shown above:  Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.


Shown above:  UAC alert generated by malicious EXE during the infection.


Shown above:  Malicious EXE file generated during the infection.


Shown above:  Malicious EXE persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Traffic generated after enabling Excel macro:

  • hxxps://github[.]com/michel15P/1/raw/main/notice.zip
  • hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
  • Note: File returned from the above URL is a data binary and not a zip archive

Traffic generated by persistent EXE created from the above binary:

  • port 80 - transfer[.]sh - GET /get/qT523D/Wlniornez_Dablvtrq.bmp              
  • port 443 - hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp                                                  
  • 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /avast_update                                    
  • 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /api/client/new                                 
  • 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - POST /tasks/get_worker

Alerts on traffic to 193.106.191[.]162 over TCP port 1775:

  • ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
  • ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363

Associated malware and artifacts:

SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e

SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc

  • File size: 2,828 bytes
  • File name: open.vbs
  • File location: same directory as the above Excel file or the user's AppData/Local/Temp directory
  • File description: After enabling macro, this VBS file is used to create the persistent EXE
  • Note: I could not find this file on my infected lab host

SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5

  • File size: 417,512 bytes
  • File location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
  • File type: data
  • File description: data binary retrieved by open.vbs used to persistent EXE (below)

SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d

  • File size: 367,001,600 bytes
  • File location: C:\Users\[username]\AppData\Local\Temp\notice.exe
  • File location: C:\Users\[username]\AppData\Roaming\qwveqwveqw.exe
  • File description: Malware EXE persistent on the infected Windows host
  • Note: This binary is appended with more than 366 MB of zero byte filler
  • Note: Persistent through "Shell" value at HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b

  • File size: 143,400 bytes
  • File description: Persistent malware EXE with most of the zero byte filler removed

SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b

  • File size: 716,288 bytes
  • File location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp
  • File type: data
  • File description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order

SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87

  • File size: 716,288 bytes
  • File description: Windows DLL file created by reserving the above binary
  • File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
  • Run method: loaded/run by persistent EXE

SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89

  • File size: 2,182,488 bytes
  • File location: hxxp://193.106.191[.]162:1775/avast_update
  • File description: base64 text representing a Windows DLL file

SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738

  • File size: 1,636,864 bytes
  • File description: Windows DLL file converted from the above text
  • File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • Run method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE

Final words

Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL and re-started the infection process without the Github traffic.

Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30.  ETPRO signatures identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.

My thanks to Security Onion, Proofpoint's EmergingThreats team, and Didier Stevens' tools for reversing binaries. These three resources were a big help in my analysis for this diary.

A pcap of the infection traffic and the associated malware/artifacts can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)
ISC Stormcast For Wednesday, April 6th, 2022 https://isc.sans.edu/podcastdetail.html?id=7952

Comments


Diary Archives