New information stealers harvests saved passwords and screenshots

New Meta information stealer spreading via malspam, others targeted social media accounts

Cybercriminals more and more often use these information gathering threats in their campaigns

The infection that is capable of capturing screenshots, collecting files, and exfiltrating sensitive data recently rose to the top. These threats are more popular than ever among these cybercriminals who focus on gathering personal details for later scam campaigns or as a piece for sale on the dark web.^[1]

The new META malware^[2] that is another info-stealer was found distributed using malspam campaigns. Multiple reports show that this virus is actively used in attacks and focused on stealing passwords stored in Google Chrome, Microsoft Edge, Mozilla Firefox browsers, or cryptocurrency wallets.^[3]

The campaign is similar to other infection chains and is focused on the approach where a macro virus-filled Excel document is used as the file attached to emails. The malware arrives on the machine via the inbox, and the file is added to the spam message. These emails make various false claims that encourage people to open the email and load a file on the machine. This virus needs just that – interaction.

Emails carrying malicious Excel attachments

Various malware campaigns rely on the method of deploying malicious programs by spreading the payload as a malware-laced file. These emails that deliver malicious pieces have deceptive messages ad subject lines with fake claims and convincing text. People are encouraged to believe these emails with claims of fund transfer. Even though these messages are not particularly crafted or convincing, there are a lot of recipients that fall for such tricks.^[4]

The particular exposed campaign used the Excel spreadsheet with the feature DocuSign. The lure urges people to enable the content and run the malicious VBS macro in the background of the machine. The code triggers the download of a virus payload and other files like DLLs and executables.

These campaigns can include files causing registry entry alterations that ensure the persistence of the initial malware. This way, each reboot of the machine triggers the infection processes too on the compromised machines. META malware even modifies Windows Defender to avoid the detection of its malicious files.

FFDroider and Lighting stealer actively target users

Recently researchers discovered dangerous campaigns and issued warnings to users.^[5] The particular info-stealers can siphon data from the compromised machines or even launch additional attacks. Recently active FFDroider and Lighting Stealer viruses are designed to send stolen credentials and cookies from browsers to servers controlled by their creators.

This threat can be disguised like instant messaging machines like Telegram to hide their malicious purposes. The virus can collect sensitive information like keystrokes, files, passwords that are saved, and cookies from browsers. This data is transmitted and collected on remote attacker-controlled domains and servers. The distribution methods of these stealers also rely on malicious files and cracked versions of freeware.

These information stealers target various types of web browsers, and the most common user logins, and passwords are for Facebook, Instagram, Twitter, Amazon, eBay, as researchers state:

The stealer signs into victims' social media platforms using stolen cookies, and extracts account information like Facebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to steal personal information

The particular FFDrioder malware has downloader functions, so the piece can update itself and receive advanced changes to allow the stealer to expand as malicious actors want to. The access can be later abused to deploy more major malware. These stealers are more popular due to the stealthy infiltration methods and various possibilities after the infiltration.