www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
URL:
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns
Submission: On January 11 via api from DE — Scanned from DE
Submission: On January 11 via api from DE — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Contact Us
* Personal Support
* Business Support
* Talk to Sales
* Contact Press
* Partner Programs
* Submit Vulnerability
* Company
* About Malwarebytes
* Careers
* News & Press
* Sign In
* MyAccount sign in: manage your personal or Teams subscription >
* Cloud Console sign in: manage your cloud business products >
* Partner Portal sign in: management for Resellers and MSPs >
* Personal
< Personal
Products
* Malwarebytes Premium >
* Malwarebytes Privacy VPN >
* Malwarebytes Identity Theft Protection >
* Malwarebytes Browser Guard >
* Malwarebytes for Teams/small offices >
* AdwCleaner for Windows >
--------------------------------------------------------------------------------
Find the right product
See our plans
Infected already?
Clean your device now
Solutions
* Free antivirus >
* Free virus scan & removal >
* Windows antivirus >
* Mac antivirus >
* Android antivirus >
* iOS security >
* Chromebook antivirus >
See personal pricing
Manage your subscription
Visit our support page
* Business
< Business
BUNDLES
* Core
* Prevent and remediate threats and identify vulnerabilities
* Advanced
* Utilize threat guidance and patch management plus everything in Core
* Elite
* Deploy Managed Detection and Response plus everything in Advanced
* Ultimate
* Protect against categories of malicious websites plus everything in Elite
TECHNOLOGY HIGHLIGHTS
* Managed Detection & Response (MDR)
* Deploy fully-managed threat monitoring, investigation, and remediation
* Endpoint Detection & Response (EDR)
* Prevent more attacks with security that catches what others miss
* Security Advisor
* Visualize and optimize your security posture in just minutes
* For Education
* Secure your students and institution against cyberattacks
Learn more about Security Advisor (available in every bundle) and see the
full list of our products and services.
Full technology list >
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing
Explore our award-winning endpoint security products, from EP to EDR to MDR
* Partners
< Partners
Explore Partnerships
Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Affiliate Partners
Contact Us
* Resources
< Resources
Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
Malwarebytes Labs – Blog
* Glossary
* Threat Center
Business Resources
* Reviews
* Analyst Reports
* Case Studies
Press & News
Reports
The State of Malware 2023 Report
Read report
* Support
< Support
Technical Support
* Personal Support
* Business Support
* Premium Services
* Forums
* Vulnerability Disclosure
* Report a False Positive
Featured Content
* Activate Malwarebytes Privacy on Windows device.
See Content
Product Videos
Free Download
* Contact Us
* < Contact Us
* Personal Support
* Business Support
* Talk to Sales
* Contact Press
* Partner Programs
* Submit Vulnerability
* Company
* < Company
* About Malwarebytes
* Careers
* News & Press
* Sign In
* < Sign In
* MyAccount sign in: manage your personal or Teams subscription >
* Cloud Console sign in: manage your cloud business products >
* Partner Portal sign in: management for Resellers and MSPs >
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Threat Intelligence
NEW METASTEALER MALVERTISING CAMPAIGNS
Posted: December 19, 2023 by Jérôme Segura
MetaStealer is a popular piece of malware that came out in 2022, levering
previous code base from RedLine. Stealers have become a very hot commodity in
the criminal space, so much so that there is competition between various groups.
Threat actors have primarily used malspam as an infection vector to drop
MetaStealer as well as cracked software via stolen YouTube accounts, but it was
at least once previously seen in a malvertising campaign.
In the past week, we observed some malicious ads that weren’t dropping FakeBat
or PikaBot, but rather a different payload that we recognized as MetaStealer.
Interestingly, in early December, the malware authors behind MetaStealer gave an
interview and announced that they were about to release a new and improved
version of their tool.
DISTRIBUTION
We captured two different ads for Notepad++ and AnyDesk via Google searches:
According to the Google Ads Transparency Center, one of the campaigns ran in
November and December, during specific dates:
Two domains have been setup as both decoy and landing pages. If you were to
browse to those sites directly, you would see content that looks like it was
generated automatically. Note how the two pages have a similar template.
However, users that clicked on the ads and met the selection criteria will get a
malicious landing page and a download link:
PAYLOAD
The November payload contained a shortcut launching PowerShell that used a
hardcoded path to the Downloads folder (would fail if the file was extracted in
another directory):
The December campaign got rid of the PowerShell and the malicious DLL was
recompiled:
Based on network traffic activity alone, it appears that both payloads are still
the MetaStealer from the 3.x branch:
For an in-depth look at MetaStealer, check out this article by Russian Panda.
CONCLUSION
The developers of MetaStealer are improving their product and we are likely to
see more of their customers distributing it. Stealers can serve multiple
purposes but tend to revolve around items that criminals can easily monetize.
Crypto wallets are usually quite coveted, but so are credentials for various
online services. And finally, stealers can also be used by initial access
brokers, paving the path for ransomware actors.
We have reported the malicious ads to Google and have already blocked the
infrastructure behind these campaigns.
ThreatDown, powered by Malwarebytes, detects this threat as
Trojan.MetaStealer.Generic. The Endpoint Detection and Response (EDR) can also
see the process activity tied to this attack:
Additionally, the newly released Incident Timeline feature can alert you of an
active intrusion attempt which our Managed Detection and Response team can
assist you with.
INDICATORS OF COMPROMISE
Malicious domains
rawnotepad[.]com
startworkremotely[.]com
Payload URLs
rawnotepad[.]com/notepad++.zip
startworkremotely[.]com/Anydesk.zip
Payload hashes
949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca
99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb
c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f
MetaStealer C2s
wgcuwcgociewewoo[.]xyz
ockimqekmwecocug[.]xyz
kiqewcsyeyaeusag[.]xyz
cewgwsyookogmmki[.]xyz
startworkremotely[.]com
csyeywqwyikqaiim[.]xyz
iqaeaoeueeqouweo[.]xyz
mmswgeewswyyywqk[.]xyz
accounts[.]google[.]com
iqwgwsigmigiqgoa[.]xyz
SHARE THIS ARTICLE
RELATED ARTICLES
Exploits and vulnerabilities | News
INFO-STEALERS CAN STEAL COOKIES FOR PERMANENT ACCESS TO YOUR GOOGLE ACCOUNT
January 11, 2024 - Several info-stealers have incorporated an exploit that
allows them to gain permanent access to your Google account
CONTINUE READING 0 Comments
Apple | Threat Intelligence
ATOMIC STEALER RINGS IN THE NEW YEAR WITH UPDATED VERSION
January 10, 2024 - Mac users should be aware of an active distribution campaign
via malicious ads delivering Atomic Stealer. The latest iteration of the malware
is stealthy thanks to added encryption and obfuscation of its code.
CONTINUE READING 0 Comments
Exploits and vulnerabilities | News
PATCH NOW! FIRST PATCH TUESDAY OF 2024 IS HERE
January 10, 2024 - Microsoft's patch Tuesday roundup looks like a relatively
quiet one. Unless your organization uses FBX files.
CONTINUE READING 0 Comments
News | Privacy | Scams
SEC X ACCOUNT HACKED TO HAWK CRYPTO-SCAMS
January 10, 2024 - The US Securities and Exchange Commission's X account was
compromised to take advantage of an expected Bitcoin ETFs announcement.
CONTINUE READING 0 Comments
News | Ransomware
EXPOSING THE RANSOMWARE LIE TO “LEAVE HOSPITALS ALONE”
January 9, 2024 - Ransomware gangs are getting more ruthless to increase the
pressure on their victims. Now, even swatting cancer patients seems to be on the
table.
CONTINUE READING 0 Comments
ABOUT THE AUTHOR
Jérôme Segura
A special interest for web threats.
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
FOR PERSONAL
* Windows Antivirus
* Mac Antivirus
* Android Antivirus
* Free Antivirus
* VPN App (All Devices)
* Malwarebytes for iOS
* SEE ALL
COMPANY
* About Us
* Contact Us
* Careers
* News and Press
* Blog
* Scholarship
* Forums
FOR BUSINESS
* Small Businesses
* Mid-size business
* Larger Enterprise
* Endpoint Protection
* Endpoint Detection & Response
* Managed Detection and Response (MDR)
FOR PARTNERS
* Managed Service Provider (MSP) Program
* Resellers
MY ACCOUNT
Sign In
SOLUTIONS
* Rootkit Scanner
* Trojan Scanner
* Virus Scanner
* Spyware Scanner
* Password Generator
* Anti Ransomware Protection
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
LEARN
* Malware
* Hacking
* Phishing
* Ransomware
* Computer Virus
* Antivirus
* What is VPN?
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
English
* Legal
* Privacy
* Accessibility
* Vulnerability Disclosure
* Terms of Service
© 2024 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Decline All Confirm My Choices