Threat Research

Windows MetaStealer Malware – SANS Internet Storm Center

Securonix

The diary documents a MetaStealer infection chain delivered via malicious Excel attachments that drop and persist a Windows EXE and DLL after macro execution and a VBScript loader. It also notes the malware abusing legitimate services like GitHub and transfer.sh to host data binaries and C2-style traffic that triggers the ET Pro signatures. #MetaStealer #transfer.sh

Keypoints

  • At least 16 samples of malicious Excel files were submitted to VirusTotal starting 2022-03-30, indicating a recurring campaign.
  • Infection occurs via email attachments, with post-infection activity triggering Win32/MetaStealer Related Activity signatures (ETPRO).
  • The malware uses data binaries hosted on legitimate services (GitHub and transfer.sh) to build the persistent EXE and DLL components.
  • A VBScript (open.vbs) is used after macro enablement to create the persistent EXE, and UAC prompts illustrate privilege interactions during the infection.
  • Persistence is achieved through a Startup/Run mechanism (HKCU software keys) to survive reboots.
  • Observed IOCs include specific hashes, file names, and URLs, notably notice.zip binaries and the transfer.sh retrievals, plus network traffic to 193.106.191.162 on port 1775 and associated GET/POST requests.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Initial access via malicious Excel file distributed as email attachments. Quote: ‘These malicious Excel files are distributed as email attachments.’
  • [T1204.002] User Execution: Malicious File – User enables macro execution which triggers the malicious loading stage. Quote: ‘After enabling macro,…’
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – VBScript (open.vbs) used to create the persistent EXE. Quote: ‘open.vbs’ file is used to persistent EXE (described in the indicators).
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via Run key in Winlogon path. Quote: ‘Persistent through … Winlogon’
  • [T1105] Ingress Tool Transfer – The malware downloads data binaries from GitHub/raw GitHub and retrieves binaries from transfer.sh. Quote: ‘Traffic generated by persistent EXE created from the above binary: port 80 – transfer[.]sh – GET /get/…’
  • [T1071.001] Web Protocols – Web-based C2/HTTP communications to transfer.sh, avast_update, and related endpoints. Quote: ‘GET /avast_update’ and ‘GET /api/client/new’ and ‘POST /tasks/get_worker’

Indicators of Compromise

  • [URL] – Notice.zip downloads from remote hosts; examples: hxxps://github[.]com/michel15P/1/raw/main/notice.zip, hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
  • [SHA256] Hashes – examples: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e, 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc
  • [File name] open.vbs – used to coordinate persistence; location: same directory as the Excel file or AppData/Local/Temp
  • [SHA256] Hash – 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5
  • [File] notice.exe – persistent malware EXE with zero-byte filler; location: AppDataLocalTemp and AppDataRoaming
  • [SHA256] Hash – f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
  • [File] DLLs and associated binaries retrieved from transfer.sh – example: Wlniornez_Dablvtrq.bmp (data) and a Windows DLL file created from it
  • [SHA256] Hash – cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89
  • [File] C:Users[username]AppDataLocalTempnotice.exe – persistent EXE; [File] C:Users[username]AppDataRoaming qwveqwveqw.exe – persistent EXE

Read more: https://isc.sans.edu/diary/rss/28522