A malspam campaign distributing the new META infostealer, which has no relation to the organization formerly known as Facebook, has been identified by several security researchers, including Brad Duncan at Unit 42. Infostealers are Remote Access Trojans (RAT) whose initial activity focuses on stealing credentials such as stored passwords, access tokens, cryptocurrency wallet information, credit cards, email data, and other data of interest to threat groups. A number of new infostealer malware options have recently entered dark web marketplaces after the formerly popular Raccoon Stealer reportedly shuttered operations due to the Ukraine-Russia war, including META, FFDroider, and Lightning Stealer. META currently is offered to monthly subscribers for $125 and to lifetime subscribers for $1000. META currently accomplishes initial exploitation via social engineering email recipients to enable a macro on a malicious Microsoft Excel document, which then attempts to evade detection by downloading obfuscated files from multiple sites such as GitHub before reassembling them into the RAT.
Maldocs, such as maliciously crafted Excel or other Office documents, remain a frequent avenue of attack by threat groups, especially those deploying malspam campaigns. Users should be cautioned to exercise appropriate cybersecurity awareness, including reporting phishing attempts or unauthorized communications from untrusted parties. However, trusted parties can be compromised, resulting in conversation hijacking attempts where email responses are sent from unknowing victims in order to bypass recipient scrutiny. Organizations should enact policies to restrict macro use where possible, and carefully deploy appropriate scanning solutions. Binary Defense offers threat intelligence and threat hunting services that enable organizations to keep up with the ever-evolving threat landscape.