Meta Stealer has been around since 2022 and has been used very frequently by TA in the stealers market. Somehow and because of C2 traffic similarities on Redline and Meta builds, this second has been “forget” by malware analysts and hunters, under the Redline name.
Recently, Threat Intelligence Researcher @AnFam17 has made an amazing report on this stealer:
MetaStealer - Redline’s Doppelgänger (russianpanda.com)
So we finally can start digging into Meta stealer and its detection.
Meta should be considered a malware from the same family as Redline, that actually has nothing to do with the outdated references on MetaStealer (Malware Family) (fraunhofer.de)
and outdated ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363
Here is some additional Redline (PID 2580) vs Meta (PID 2712) detonations:
Analysis test123.rar (MD5: C6375702EA8D3E9F14A97BE68240EE65) Malicious activity - Interactive analysis ANY.RUN
What are the thoughts on ET community on bringing back detection to Meta Stealer updating the rules from 2022? Or what it seems more reasonable, to add some dual detection on both Redline and Meta samples but anything additional to help identifying Meta builds.
I say this because there’s currently some Meta builds that doesn’t have any rule detection, than a ET INFO Microsoft net.tcp Connection Initialization Activity. For example:
Analysis https://cdn.discordapp.com/attachments/1175696087399546890/1175697604072443964/Installer.zip?ex=656c2cb8&is=6559b7b8&hm=a90808c4f39ddbcf46113c3b3464f9d3a65d98dd80bd8706bea3852333820753& Malicious activity - Interactive analysis ANY.RUN