Key Insights

  • MetaStealer, a new malspam campaign, is available for a low price – which will lead to this malware becoming more common.
  • It appears as if the victims of this campaign are targeted at random.
  • The MetaStealer malware has only been reported using spam emails, but that could change in the future.

In early 2022, an information stealer known as MetaStealer has been gaining traction in dark markets. The MetaStealer malware is used in malspam campaigns that have been using phishing emails with a malicious excel attachments to deliver the malware through macros.

While the malware currently spreads through email, the fact that this malware is available to purchase, could mean we may see MetaStealer malware distributed through other means such as social media.

The MetaStealer Campaign

According to the NCCGroup, MetaStealer is a newly discovered variant of information stealers that followed the sudden, albeit short, suspension of Raccoon stealer’s operations in March of 2022.

Dark web intelligence analysts first identified the MetaStealer campaign on underground marketplaces. SANS Internet Storm Center (ISC) handler and security researcher Brad Duncan witnessed the new spam email campaign that actively used the malspam in attacks.

The MetaStealer malware is available on a deep web marketplace for $125 a month, or threat actors can purchase a lifetime license for a flat fee of $1000. It has also been distributed through emails disguised as financial transaction messages. The excel document attached to the email contains a macro, and once allowed, it will then download and run the malware.

You can find a detailed malware report authored by Sans here: Windows MetaStealer Malware - SANS Internet Storm Center.

Fake email used in campaigns (

Credential Targeting

This malspam campaign is reported as targeting user credentials stored for browsers such as Chrome, Firefox, and Edge. Additionally, this malware also targets credentials stored for various cryptocurrency wallets. 

So far, there have been no reports detailing any specific victim selection for this campaign. For now, it appears as if the victims of this campaign are random.

Threats To Social and Mobile Chat

The MetaStealer malware has only been reported using spam emails. Still, with the growing popularity of this malware, some actors looking for new delivery methods could attempt to spread it through social media messaging or mobile chat apps like Telegram and WhatsApp.

All this campaign needs realistically is a way to distribute the excel document, and most messaging applications allow for file transfers. Most messaging platforms don’t even do any file analysis or sandboxing on distributed files, so actors could have an easier time distributing their malware without the threat of detection.

Defending Against the MetaStealer Malware

To defend against this type of malware campaign, it is vital to practice proper guidelines to identify and report such attacks. Here are some of the best security measures on how to prevent hackers from stealing information:

  • Educate staff and executives on social engineering detection and security – Train personnel to recognize social engineering attack patterns and how to respond to them. Free courses, online seminars, and even social engineering articles provide a significant first step.
  • Enable more intelligent password protection – Multi-factor authentication (MFA) is proven to block 99.9% of automated attacks and thwart second-stage phishing attacks.
  • Monitor network inbound and outbound traffic – With the help of cybersecurity tools, monitor suspicious domains, user activity, and massive movements of sensitive data. An employee might have clicked on a phishing link without knowing.
  • Constantly update your security software – Late updates, missing patches, and gaps in your security software (like firewalls) can lead to vulnerabilities that hackers can exploit.
  • Deploy a cloud-based cybersecurity solution with NLU – Natural language understanding (NLU) can identify complex patterns, even in language-based social engineering attacks. Deploy solutions that leverage these machine learning capabilities to detect, flag, and quarantine emails that carry these triggers.

More information and guidelines can be found on SafeGuard Cyber’s Identify and Prevent Social Engineering Attacks blog. 

Additionally, for Safeguard Cyber customers, be sure to turn on the malicious detection policy in the SafeGuard Cyber platform. We have tested the detection of this malware campaign through Slack and confirmed that the platform does alert to incidents with this file.

Excel document detected in Slack

Learn how to prevent hackers from stealing information from your company with smart, intuitive cybersecurity. Talk to our experts and schedule a demo if you want to see more of SafeGuard Cyber in action.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product