MetaStealer: An insidious cyber threat

In the constantly changing field of cybersecurity, new threats continue to emerge, challenging individuals and organizations alike to stay a step ahead of the threats. An example of a threat that has received attention is MetaStealer.

Due to its exceptional abilities and stealthy way of operation, this advanced cyber espionage tool has made large impacts in the world of cybersecurity. In this blog post, we will dive deep into the MetaStealer phenomenon, looking into its origins, functionality, and the measures you can implement to protect yourself from this treacherous threat.

What is MetaStealer?

MetaStealer is a kind of malware that is designed for illicit espionage and online monitoring. Its main objective is to steal sensitive data from infected systems. Sensitive data is e.g. passwords, documents, and other valuable data - so MetaStealer is used to steal this information, without being detected. MetaStealer, unlike many other malware types, is notorious for its stealth, making it difficult for security systems to identify and mitigate.

It’s still not certain how MetaStealer came about, but it is believed to have first seen the light of day in the early 2010s. It has since then undergone several tweaks and updates. The developers are constantly adapting the malware to circumvent anti-virus programs and detection, which evidently enhances its data-stealing capabilities. This is just one of the things that makes MetaStealer dangerous.

It is programmed and designed with the Go programming language. And what distinguishes the MetaStealer from other information stealers (infostealers) is that it specifically targets macOS users, and not a broader range of operating systems.

How does MetaStealer work?

To get a better understanding of the evil malware, we should take a closer look at how the MetaStealer actually works.

The MetaStealer will usually enter a target system via phishing. Here, the hackers attach either files or links which the victim clicks on. Once a user clicks or interacts with the infected attachment, the malware gets a firm grip on the system the victim is using. And now it initiates a covert operation that the victim doesn’t know anything about.

One of the dangerous things about MetaStealer is that it can operate unnoticed. It stays hidden in the systems and thus avoids detection programs like anti-virus software and other security measures. It can stay this hidden and unnoticed because it operates on several levels, and uses many different hacking techniques. It e.g. is connected to rootkits, it processes injections and uses encryption to hide all commands and communication within the system.

Once inside, the MetaStealer goes to work by stealing sensitive data. It steals a broad range of sensitive data; login credentials, banking information and important documents. The stolen data is afterwards encrypted so the victim cannot see or access the data again - not without the decryption key. The data is furthermore sent to a remote command and control (C2) server which is controlled by the hackers.

MetaStealer’s main functions

MetaStealer has different functions which makes the hacking job a lot easier for the malicious actors. Three of the main features and functions the malware has is:

• Remote access: The MetaStealer makes it possible for the hacker to remotely access the infected system. This means that the cybercriminals can sit comfortably at a distance and take over the commands of a system, exfiltrate data, and upload additional malware if needed. They can do this without any direct or physical access to the infiltrated system and compromised machine.

• One of the most brutal and powerful features of MetaStealer is its keylogging function. Keylogging is essentially a tracking of your movement on your keyboard. So when a hacker has malware that can do keylogging, they can track every movement you make, including seeing your passwords when you write that out, or if you write down any sensitive information.

• The last thing that makes MetaStealer particularly dangerous is the built-in persistence mechanisms. The mechanism ensures that even at reboots and security software scans, the malware stays on the device or system, making it a lot more difficult to remove it.

MetaStealer’s targets

The MetaStealer can be used for many different purposes, but as mentioned above, targets mainly macOS users. It furthermore initially targeted corporate networks to get insights here. It specifically targeted healthcare, critical infrastructure, governments and financial sectors. These industries house a lot of valuable data and are thus prime targets for any kind of espionage.

In these attacks, the infostealer hid itself as Adobe files, making it a lot less suspicious to the victims. It was also distributed as a disk image (.dmg) with names that indicated the specified targets.

MetaStealer has been reported on an international scale in multiple countries, making it one of the bigger malware distributions. This also shows that the cybercriminals using MetaStealer don’t feel a limitation as to who their next victim should be. The cyberthreat landscape is thus a very large one.

Mitigating the impact

We’re all very interested in avoiding this malware since it’s so brutal, so below we’ll highlight some of the things you can do to mitigate the impact of the malware:

• Endpoint protection: To protect your systems against MetaStealer and similar threats, it is important to use strong and good endpoint protection solutions. They should include antivirus programs and software, advanced threat intelligence and intrusion detection systems.

• Awareness training: Phishing is still one of the primary ways the MetaStealer hackers get inside the victims’ systems. So training your employees in awareness training and spotting phishing can be a very good investment - it will significantly reduce the risk of infiltrations.

• Network segmentation: This can help limit the lateral movement of malware within your networks, as it isolates critical systems and sensitive data. The infection can be more contained, which will help prevent any further damage.

• Patching systems: When you update your devices and systems you automatically patch any newly found gaps and vulnerabilities - these are the gaps that hackers often exploit.

The battle against MetaStealer continues

If we want to fight and win against MetaStealer we need to work together within industries and organizations. It’s such an advanced threat that needs a collaborative approach. Organizations should implement incident response plans and have proper exposure management - and these should be shared and understood in the entire organization.

It’s in every organization’s interest to hold the MetaStealer creators accountable for this malicious tool they have created. However, the problem with most cyberattacks is that hackers and cybercriminals can sit on the other side of the world and still execute a cyberattack with great financial profit for them.

The MetaStealer represents a whole new type of tool for espionage. It is built to be as stealthy as possible while stealing as much data as possible.

It’s a sophisticated and advanced malware which increases the cyberthreat levels more than before. It targets many different types of industries with its focus on corporate organizations - and as we’ve established, they house a lot of important and crucial information.

With a better understanding of how MetaStealer works, organizations can hopefully stand a better and more fair fight against the malware. Cybersecurity starts with the employees, as they are the best and strongest defense there is against cyberattacks.