Meterpreter

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Meterpreter is a malicious software (malware) variant of the legitimate Metasploit penetration testing tool. It was created by Advanced Persistent Threat (APT) actors and has been used to exploit and compromise systems, notably the ServiceDesk system where it was listed as wkHPd.exe. The malware operates as an interactive shell, enabling threat actors to control and execute code on a compromised system. Once installed, Meterpreter is executed in memory, allowing the threat actor to dominate not only the infected system but also potentially the internal network of an organization. The misuse of Meterpreter mirrors the use of Beacon in Cobalt Strike, another prominent cybersecurity tool. After the installation of other tools like PrintSpoofer, threat actors install the Meterpreter Stager, one of two types of the module. With this setup, there are two main attack methods that actors can employ to spread malware once they've gained access to systems like Redis. They can fetch various Metasploit modules or working exploits for known bugs and use them on the targeted system. Attackers have been found using an 8-year-old version of the Redis open-source database server to maliciously utilize Metasploit's Meterpreter module, exposing system exploits, and potentially allowing for full system takeover and distribution of other malware. This exploitation likely results from inappropriate settings or vulnerabilities present in Redis implementations. In some cases, seemingly legitimate installers also delivered a malicious Python payload that launched Meterpreter remote shells and Cobalt Strike beacons. Screenshots revealed Meterpreter shells accessing specific infrastructures, suggesting a widespread potential for system compromise.
What's your take? (Question 1 of 5)
5079f5e3-8ba9-4182-ac67-71c9f60ce501 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Meterpreter Stager
3
The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di
wkhpd.exe
2
wkhpd.exe is a malicious software (malware) that was created and used by Advanced Persistent Threat (APT) actors. This malware is a variant of Metasploit's Meterpreter, which was specifically designed to exploit the ServiceDesk system. The creation and use of this malware were first identified on Fe
Tinymet
2
TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your sy
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Exploit
Rat
Vulnerability
Beacon
Trojan
Downloader
Cobalt Strike
Backdoor
Ransomware
Proxy
Lateral Move...
Android
Phishing
Apt
t1587.001
Implant
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BumblebeeUnspecified
2
Bumblebee is a malicious software (malware) that was first identified in March 2022 and has been utilized by various cybercriminal groups as an initial access loader to deliver different payloads, including infostealers, banking Trojans, and post-compromise tools. The malware infects systems through
PlugXUnspecified
2
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
Cobalt Strike BeaconUnspecified
2
Cobalt Strike Beacon is a type of malware, malicious software designed to exploit and damage computer systems. It has recently been linked to ransomware activity, being loaded by HUI Loader under various names such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version under vm.cfg. This malware
ClopUnspecified
2
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Meterpreter Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Unit42
a year ago
Android Malware Impersonates ChatGPT-Themed Applications
Recorded Future
a year ago
2022 Adversary Infrastructure Report
CISA
9 months ago
MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA
DARKReading
2 months ago
Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously
Count Upon Security
a year ago
Offensive Tools and Techniques
CERT-EU
a year ago
Full Disclosure: Unquoted Path - XAMPP 8.2.4
CERT-EU
10 months ago
OffSec’s Exploit Database Archive
MITRE
a year ago
TA505 Continues to Infect Networks With SDBbot RAT
CERT-EU
a year ago
Buhti: New Ransomware Operation Relies on Repurposed Payloads
CERT-EU
a year ago
ManageEngine ADAudit Plus Remote Code Execution - KizzMyAnthia.com
CERT-EU
a year ago
SafeBreach Coverage for US-CERT Alert (AA23-158A) – CVE-2023-3462 MOVEit Vulnerability
CERT-EU
a year ago
Getting Offensive with Golang
CERT-EU
a year ago
PhoneSploit-Pro - An All-In-One Hacking Tool To Remotely Exploit Android Devices Using ADB And Metasploit-Framework To Get A Meterpreter Session
MITRE
a year ago
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
CERT-EU
5 months ago
Remote Command Injection Vulnerability For Sale On Dark Web
MITRE
a year ago
Shedding Skin - Turla’s Fresh Faces | Securelist
MITRE
a year ago
ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
CISA
9 months ago
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA
CERT-EU
9 months ago
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 – Cybersafe NV