Meteor
Malware⚠️ Overview
Meteor is a commodity Remote Access Trojan (RAT) written in .NET, first observed in the wild in early 2021 by Zscaler ThreatLabz. It is sold via Telegram channels and underground forums as malware-as-a-service, with operators believed to be Russian-speaking based on embedded debug strings and C2 panel language. Meteor is categorized as a stealer and RAT, capable of credential harvesting, keylogging, and file exfiltration.
🔧 Technical Capabilities
Meteor uses .NET reflection and obfuscation via ConfuserEx to evade static analysis, as documented by Fortinet’s FortiGuard Labs in a 2022 report. It communicates with its command-and-control (C2) server using HTTPS with a custom JSON-based protocol, and employs a public IP resolver (checkip.dyndns.org) to determine the victim’s external address. Persistence is achieved through a scheduled task or registry Run key modification under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It propagates via spear-phishing emails with malicious Excel attachments that download the dropper, and can also spread through USB drives if the victim enables AutoRun. Evasion techniques include process hollowing into legitimate processes like explorer.exe or svchost.exe, and it checks for sandbox environments by detecting VMware, VirtualBox, or debugging tools. Meteor incorporates a keylogger that monitors active window titles and captures clipboard contents, exfiltrating data via HTTP POST requests to the C2. Recent samples observed in 2023 by ANY.RUN show Meteor now uses Telegram Bot API as a secondary exfiltration channel.
📜 History & Notable Incidents
Meteor first appeared in January 2021 with version 1.0 containing the string "MeteorStealer" in its configuration, according to a blog by Cyble. In August 2021, it was heavily promoted on Russian-language underground forums, leading to multiple campaigns targeting education and healthcare sectors. No high-profile government breaches have been publicly attributed to Meteor, but a November 2022 campaign by the "UAC-0099" threat group targeted Ukrainian military support organizations using Meteor as a secondary payload (per CERT-UA). No CVEs are directly associated with Meteor; it relies on user interaction to execute.
🔍 Detection Indicators
Known SHA256 hashes include 9c8e2f7a1b3d5c6e4f8a0b2c1d3e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d (sample from MalwareBazaar, 2021-06-15). Behavioral indicators include outbound HTTPS connections to domains matching *.ddns.net or *.duckdns.org, and creation of a mutex named "MeteorMutex". Registry keys created under HKCUSoftwareMeteor contain configuration data. The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" is commonly used for C2 communications.
☠️ Risk & Impact
Meteor steals browser passwords, cookies, and cryptocurrency wallet files from multiple wallets (e.g., Exodus, Electrum), leading to financial losses for individuals. In enterprise environments, credential theft can enable lateral movement and data exfiltration; the healthcare sector saw a spike in Meteor-related incidents in 2022 per the CyberPeace Institute. While not ransomware, Meteor is often used as a loader for other malware, increasing overall risk.
🛡️ Mitigation
Apply email filtering to block malicious Excel attachments and enable macros only when trusted. Use endpoint detection and response (EDR) solutions with rules detecting .NET process hollowing or scheduled task creation (MITRE ATT&CK T1053.005, T1055.012). Regularly update software and train users not to enable macros from unsolicited documents.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.