Meterpreter

Malware updated 3 days ago (2024-11-21T11:31:33.958Z)

Download STIX

Preview STIX

Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, Meterpreter has been likened to Beacon in the Cobalt Strike toolset due to its ability to act as a malicious backdoor. Advanced Persistent Threat (APT) actors have recently been observed creating and using a variant of Meterpreter on the ServiceDesk system, identified as wkHPd.exe. This specific use of Meterpreter allows the threat actors to dominate the internal network of an organization, leveraging various features offered by the malware. When an exploit is successfully executed on a victim system, these actors launch the Meterpreter payload to initiate communication with their actor-controlled systems, typically using a reverse Transmission Control Protocol (TCP) connection. The exploitation of Meterpreter has been linked to Unit 29155 cyber actors and other threat actors who are known to employ similar attack methods after gaining access to systems like Redis. Researchers from AhnLab Security Intelligence Center (ASEC) suggested that attackers may be exploiting inappropriate settings or vulnerabilities present in an implementation of Redis to distribute Meterpreter for nefarious use. These findings underscore the critical need for robust cybersecurity measures to protect against such sophisticated threats.

Description last updated: 2024-11-21T10:46:00.770Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Meterpreter Stager is a possible alias for Meterpreter. The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di	3
wkhpd.exe is a possible alias for Meterpreter. wkhpd.exe is a malicious software (malware) that was created and used by Advanced Persistent Threat (APT) actors. This malware is a variant of Metasploit's Meterpreter, which was specifically designed to exploit the ServiceDesk system. The creation and use of this malware were first identified on Fe	2
Tinymet is a possible alias for Meterpreter. TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your sy	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Exploit

Rat

Vulnerability

Beacon

Trojan

Downloader

Cobalt Strike

Backdoor

Ransomware

Proxy

Lateral Move...

Android

Phishing

Tool

Exploits

PowerShell

Apt

t1587.001

Source

Implant

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Bumblebee Malware is associated with Meterpreter. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee hav	Unspecified	2
The PlugX Malware is associated with Meterpreter. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2
The Cobalt Strike Beacon Malware is associated with Meterpreter. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike Beacon	Unspecified	2
The Clop Malware is associated with Meterpreter. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2

Source Document References

Information about the Meterpreter Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	3 months ago	Russian Military Cyber Actors Target US and Global Critical Infrastructure
Securityaffairs	3 months ago	Russia-linked GRU Unit 29155 targeted critical infrastructure
Recorded Future	5 months ago	2023 Adversary Infrastructure Report \| Recorded Future
DARKReading	7 months ago	Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously
CERT-EU	8 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	8 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #computerhacker - Am I Hacker Proof
CERT-EU	8 months ago	Cyberattack On Russian Election Systems Amid 2024 Elections \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	10 months ago	Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw
CERT-EU	10 months ago	Hacking Blackpearl. Machine: Blackpearl \| by Rahul Ravishankar \| Jan, 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	10 months ago	Who Is Behind Pro-Ukrainian Cyberattacks on Iran?
Recorded Future	10 months ago	2023 Adversary Infrastructure Report \| Recorded Future
MITRE	2 years ago	FIN7 Revisited: Inside Astra Panel and SQLRat Malware
CERT-EU	a year ago	Remote Command Injection Vulnerability For Sale On Dark Web
Unit42	a year ago	From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
CERT-EU	a year ago	Top 20 Most Popular Hacking Tools in 2023
Flashpoint	2 years ago	No title
CERT-EU	a year ago	MaccaroniC2 - A PoC Command And Control Framework That Utilizes The Powerful AsyncSSH
CERT-EU	a year ago	Researchers Uncover RaaS Affiliate Distributing Multiple Ransomware Strains
CERT-EU	a year ago	ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers
CERT-EU	a year ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government