Meh Malware
The Meh Malware is a newly discovered project used against targets in Spain and Argentine actively. It seems that the authors of the malware are relying on corrupted torrents to be the primary method to propagate this implant. Users who fall victim to the Meh Malware may be in a lot of trouble because this project is quite diverse in terms of functionality. While its primary purpose is to log keystrokes and collect information, it also packs a Remote Access Trojan (RAT) module that could provide its operators with full remote access to the compromised system.
The Meh Malware Boasts Impressive Evasive Capabilities
The Meh Malware likely took a long time to develop, judging by the self-persistence and anti-sandbox/anti-AV measures that its creators have implemented. Before the payload runs at all, it will launch a snippet of code designed to detect common anti-virus products, computer virtualization software and tools used for malware analysis. The latter category includes network traffic monitoring software like Wireshark, as well as various registry and process exploring applications.
After this, the malware proceeds to launch its rich array of modules, which serve the following purposes:
- Actively checking for traces of anti-virus software activity or malware analysis tools.
- Launching a coin miner that uses the computer's CPU to mine for Monero.
- Downloading and executing a torrent from a pre-defined link.
- Monitoring the clipboard and collecting information from it.
- Logging keystrokes.
- Collecting files used by cryptocurrency wallets for authentication purposes – Bitcoin, Electrum, Electrum-LTC, Litecoin, Jaxx, Exodus and ElectronCash.
- Initializing an ad-fraud campaign, which uses the default system browser to perform ad-clicks in the background. This module also looks for ad-blocking software and disables it.
- A RAT module that is inactive currently.
The most threatening part of the Meh Malware is undoubtedly the inactive Remote Access Trojan (RAT) module. However, while this feature has not been used yet, malware researchers were able to recover some of the commands, which this threat supports. Its abilities allow the attackers to execute tasks such as:
- Collecting passwords from Google Chrome, Internet Explorer and Mozilla Firefox.
- Collecting credentials from email clients.
- Collect credentials and data from the FileZilla FTP managing utility.
- Search and collect files with a specific name.
- Search for specific directories.
- Shut down or restart the computer.
- Initialize a new process.
- Manage the cryptocurrency miner.
- Create files with content supplied by the attacker.
- Execute remote commands.
- Collect Discord tokens.
The Meh Malware is by no means a simple credentials collector, and its creators appear to be trying to create a fully-fledged corrupted implant, which packs all kinds of threatening modules. Regardless of how advanced the Meh Malware may be, users are sure to be safe from it if they rely on an anti-virus software suite to keep their system protected.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.