Meta vs Redline Stealer

g0njxa · November 21, 2023, 11:51am

Meta Stealer has been around since 2022 and has been used very frequently by TA in the stealers market. Somehow and because of C2 traffic similarities on Redline and Meta builds, this second has been “forget” by malware analysts and hunters, under the Redline name.

Recently, Threat Intelligence Researcher @AnFam17 has made an amazing report on this stealer:
MetaStealer - Redline’s Doppelgänger (russianpanda.com)
So we finally can start digging into Meta stealer and its detection.

Meta should be considered a malware from the same family as Redline, that actually has nothing to do with the outdated references on MetaStealer (Malware Family) (fraunhofer.de)
and outdated ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363

Here is some additional Redline (PID 2580) vs Meta (PID 2712) detonations:
Analysis test123.rar (MD5: C6375702EA8D3E9F14A97BE68240EE65) Malicious activity - Interactive analysis ANY.RUN

What are the thoughts on ET community on bringing back detection to Meta Stealer updating the rules from 2022? Or what it seems more reasonable, to add some dual detection on both Redline and Meta samples but anything additional to help identifying Meta builds.

I say this because there’s currently some Meta builds that doesn’t have any rule detection, than a ET INFO Microsoft net.tcp Connection Initialization Activity. For example:
Analysis https://cdn.discordapp.com/attachments/1175696087399546890/1175697604072443964/Installer.zip?ex=656c2cb8&is=6559b7b8&hm=a90808c4f39ddbcf46113c3b3464f9d3a65d98dd80bd8706bea3852333820753& Malicious activity - Interactive analysis ANY.RUN

jtaylor · November 22, 2023, 7:56pm

Thank you for the heads up on this. We will have an additional signature out today specifcally for MetaStealer. I am still going through MetaStealer samples so more sigs may follow. Thank you again for the updates around these malwares!

JT

jtaylor · November 22, 2023, 9:15pm

2049282 - ET MALWARE MetaStealer Activity (Response)

Went out in todays release, we will be going through the redline sigs and updating to indicate metastealer where appropriate as well. Again, thank you for bringing this up!

JT

g0njxa · January 6, 2024, 5:56pm

Meta Stealer experienced an update at the first days of December, upgrading its version to v4.

Here’s the analysis provided by @Anfam17 aka RussianPanda

MetaStealer Part 2, Google Cookie Refresher Madness and Stealer Drama (russianpanda.com)

Since rules has been applied to the v3 version, this new variants are still detected as Redline but Meta is not contemplated in any way

Some recent example:
Analysis file.exe (MD5: 510B0F5662E6A9153FFE3FA6F1CC7B5C) Malicious activity - Interactive analysis ANY.RUN

Thank you

jtaylor · January 9, 2024, 3:10pm

Thanks! We will take a look and make any updates for todays release.

JT

Topic		Replies	Views
RedLine Stealer beacon Rule Signatures	1	307	January 6, 2023
Lumma Stealer Updates Rule Signatures	2	453	September 15, 2023
ObserverStealer Rule Signatures	5	500	June 23, 2023
PennyWise Stealer - Update on rules Rule Signatures	2	381	July 28, 2023
PureLogs Stealer Rule Signatures	12	666	December 28, 2023

Meta vs Redline Stealer

Related Topics