BleepingComputer reports that the novel META info-stealer malware is being spread in a new malspam campaign that seeks to exploit the recent exit of Raccoon Stealer.
Threat actors in the new campaign have been using META to exfiltrate browser- and cryptocurrency wallet-stored passwords, according to ISC Handler Brad Duncan. Duncan noted that the infection chain commences with the delivery of emails with bogus fund transfer claims that include a macro-laced Excel spreadsheet as an attachment. Discovered within the spreadsheet files is a DocuSign lure prompting recipients to "enable content" that would then trigger the malicious VBS macro execution in the background. Running the malicious script will then prompt payload downloads from GitHub and other sites, which will then lead to the assembly of the final payload named "qwveqwveqw.exe" as well as the creation of a new registry key to establish persistence. Even though the initial email is not convincing, many recipients could still be victimized by the scheme, said Duncan.
This week, Dr. Doug raves about: 'The Orgy of the Walking Dead' or Elon is controlling my brain, Schoolyard Bully, Redigo, DuckLogs, Dod Alphabet soup, Sirius XM, Pixel Tracking, TSA, Single Sign-on rants, and more on the Security Weekly News!
Many of the organizations targeted by the group are designated as critical infrastructure, with the agencies flagging the financial services, government, healthcare, manufacturing and information technology sectors as top targets.