Cyble Research and Intelligence Labs (CRIL) found a ZIP archive downloaded from a URL that could be spread via spam emails, containing a shortcut LNK masquerading as a PDF. When opened, it triggers a VPN application that uses DLL sideloading to load a hidden DLL, which then drops an MSI installer and a CAB file hosting MetaStealer that communicates with a C2 server to exfiltrate data. Hashtags: #MetaStealer #Cyble
Keypoints
- CRIL uncovered a ZIP delivered from a URL that appears to be disseminated via spam emails, containing a deceptive LNK file disguised as a PDF.
- Executing the LNK file runs a VPN application that relies on DLL sideloading to load a concealed malicious DLL, with both components hidden inside the ZIP.
- The loaded DLL drops an MSI installer, which downloads and presents a deceptive PDF lure to the victim.
- A CAB file containing the MetaStealer malware is dropped, establishes contact with its C2 server, and enables data exfiltration during post-infection activity.
- Previously, MetaStealer spread via malvertising campaigns that redirected victims to pages posing as download portals for AnyDesk or Notepad++.
- The campaign uses social engineering by leveraging a legitimate-looking asylum form (I-589) to entice victims and evade suspicion.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter β Briefly, cmd.exe is used to run commands such as start, expand, and run the malware executable. Quote: βcmd.exe is used to run commands such as start, expand, and run the malware executable.β
- [T1059.001] Command and Scripting Interpreter: JavaScript β Briefly, PowerShell is used for expanding the archive, starting cmd.exe, and adding Windows Defender exclusions. Quote: βPowerShell script used for expanding archive file, start cmd.exe, and add Windows Defender exclusion.β
- [T1036] Masquerading β The LNK file is masqueraded as a PDF document. Quote: βLNK file masqueraded as a PDF document.β
- [T1574.002] DLL Side-Loading β The threat uses DLL sideloading to load the malicious DLL. Quote: βUsing the DLL sideloading method to load malware DLL.β
- [T1562.001] Impair Defenses: Defender Evasion β Excluding the executable from Windows Defender. Quote: βAdd exe to Windows Defender exclusion.β
- [T1071] Application Layer Protocol β The malware communicates with its C2 server over HTTP/HTTPS. Quote: βMalware exe communicate to C&C server.β
Indicators of Compromise
- [URL] β Download link and C2 endpoints β hxxps://courtnation[.]shop/case2.09-cv-03795[.]zip, hxxp://ykqmwgsuummieaug[.]xyz:443/api/client_hello, hxxp://ykqmwgsuummieaug[.]xyz:443/tasks/get_worker, and hxxp://ykqmwgsuummieaug[.]xyz:443/tasks/collect
- [Domain] β C2 domain β ykqmwgsuummieaug[.]xyz
- [IP/Port] β C2 port β 443
- [File Hash] β case2.09-cv-03795.zip β MD5: 01b235b68ee7ef451a75ca5f9e6fa3ee; SHA1: 4ed11c9b0703df4bb316ea00c6407e47572e6315; SHA256: 1ed0b21cba44b2511d574d81bc328e7bd6f498c552ff0f0beaa7aad2d98e522d
- [File Hash] β hyper-v.exe (MetaStealer) β MD5: f72393ac04be06e2b9a5e9129a4f07cc; SHA1: 438747cac8e9a90c7e6dc42cfb085a4fe76a5107; SHA256: 6db9e55c7b05db03f3d8f49a942702bb23859cb680f3cd9405317e70cb2c6b40
- [File Hash] β windrv.msi β MD5: 991c062935d4d88b38d9a31829a96bed; SHA1: bf9953805a8be558e72ada27397bcddb4cee94bd; SHA256: 41ff09caf13b53792ac9aeec66f2264e36419eaccea7a7364312f0204dcc93a2
- [File Hash] β libcrypto-1_1-x64.dll β MD5: addafc2e5d5de4dd041971b5ac02c279; SHA1: 41abb5275eaa0f8ba03f6b20f6f9740e92fbe87e; SHA256: 5d754c467e27aa34a2a9d96c2fbb9c845396fa52248cc186b4a8d85b67c1a7f7
Read more: https://cyble.com/blog/threat-actors-target-us-asylum-seekers-with-metastealer-malware/