The MetaStealer Malware: Cyberattack On US Asylum Seekers
According to CRIL, the execution flow of the attack involves the initiation of a VPN application using DLL sideloading.
Cyble Research and Intelligence Labs (CRIL) has identified an ongoing campaign targeting individuals seeking asylum in the United States through the use of MetaStealer malware.
This sophisticated attack involves the distribution of a malicious ZIP archive file, disguising itself as a PDF document, to potentially launch a cyberattack on US asylum seekers.
On January 11th, CRIL stumbled upon a ZIP archive file named “case2.09-cv-03795.zip” and traced it back to a suspicious URL (hxxps://courtnation[.]shop/case2.09-cv-03795[.]zip). The investigation raised concerns that this link might be disseminated through spam emails, adding an element of social engineering to the attack.
MetaStealer Malware and Cyberattack on US Asylum Seekers
Once the victim opens the ZIP file, a seemingly innocent PDF file named “case2.09-cv-03795.pdf” is revealed. However, this PDF is, in fact, a cleverly disguised shortcut LNK file, concealing the true nature of the threat. Upon opening the deceptive PDF, the LNK file executes a series of actions that lead to the deployment of the MetaStealer malware.
According to CRIL, the execution flow of the attack involves the initiation of a VPN application using DLL sideloading, effectively loading a concealed malicious DLL from within the ZIP archive. This DLL, in turn, drops an MSI installer that downloads a deceptive PDF lure, creating a façade of normalcy for the victim.
Simultaneously, a CAB file is dropped, housing the MetaStealer malware, which establishes a connection with the Command-and-Control (C&C) server for data exfiltration.
MetaStealer, categorized as an info-stealer malware, is unveiled as a potent threat capable of extracting sensitive information from compromised systems. This upgraded version, previously distributed through malvertising campaigns, exhibits continuous development, signaling potential future threats.
Technical Insights and Command-and-Control Communication
The technical intricacies of the attack involve PowerShell commands, DLL sideloading, and a series of file drops leading to the installation of MetaStealer. The malware employs various evasion techniques, including Defender Bypass, to manipulate Windows Defender settings and avoid detection.
After successful infiltration, MetaStealer establishes a connection with its C&C server at “ykqmwgsuummieaug[.]xyz” on port 443. The communication involves encryption of data over HTTP, employing the ‘cpp-httplib' library. The malware communicates with the C&C server through GET and POST requests, receiving tasks for execution and providing status updates on completed tasks.
The cyberattack strategically leverages social engineering tactics by presenting victims with a deceptive lure—an “I-589, Application for Asylum and Withholding of Removal” PDF document. This choice of content plays on the urgency and sensitivity of asylum-related matters, increasing the likelihood of individuals opening the malicious file without suspicion.
MetaStealer Features and Capabilities
MetaStealer, upon execution, employs the Defender Bypass technique, manipulating Windows Defender settings to evade detection. The malware gathers information about the compromised system, utilizing tools like “winver.exe” and “systeminfo.exe” to retrieve details such as the Windows version and system specifications.
Once MetaStealer completes its initial information gathering, it shifts its focus to the installed browser applications. The malware steals sensitive information, including autofill data, cookies, login data, and other pertinent details, exploiting potential vulnerabilities in the victim's online security.
The interaction between MetaStealer and its C&C server is a critical aspect of the attack. The malware encrypts the data during communication, ensuring a secure exchange with the server. The use of HTTP and the ‘cpp-httplib' library allows for discreet communication, minimizing the chances of detection.
The C&C server assigns tasks to the compromised system, ranging from collecting system information to executing commands. Despite encountering an HTTP 400 error code during the analysis, indicating potential disruptions, the attackers persist in their attempts to maintain control over the infected system.
Conclusion
The cyberattack targeting US asylum seekers utilizing the MetaStealer malware highlights the new and persistent tactics employed by threat actors. By leveraging deceptive tactics and exploiting the urgency and sensitivity of asylum-related content, attackers aim to compromise the security of individuals with a interest in immigrating to the United States. This report emphasizes the importance of heightened cybersecurity measures to thwart such sophisticated threats.
