Overview

MetaStealer is an information stealer variant of malware that was initially detected to have emerged on underground marketplaces and later involved in malspam campaigns. The MetaStealer malware has been advertised as an upgrade of the RedLine Stealer variant2. MetaStealer can be obtained on a subscription basis for $125 USD per month, or alternatively, for $1,000 USD, as a lifetime subscription. This subscription model enables threat actors, that lack their own infrastructure and self-made capabilities, to engage in credential stealing activities. The relatively affordable malware option is almost certainly an attractive tool for criminal groups of all sizes and ranks MetaStealer as a highly prevalent malware that is emerging across the online domain.

The first stage of the attack chain involves the distribution of MetaStealer via malicious emails, being masqueraded as messages pertaining to financial transactions. These emails are sent attached with an excel document, containing a VBS macro. Following the acceptance of the document by the target, the malware will be downloaded and executed3.

Following a system reboot, the file will progress to communicate with a command-and-control (C2) server, thus establishing a persistence mechanism4. Relevant security research has documented that the MetaStealer malware is associated with various infection techniques and behavioural trends, including Reliance on open-source libraries, Microsoft Defender Bypass, Scheduled Task Persistence, Password stealing, Keylogger activity and Hidden VNC server activity 5. As with other information stealer variants, MetaStealer is designed to steal sensitive data, such as: login credentials, credit card details and security codes6.