Meterpreter

Malware updated a month ago (2024-11-29T14:40:29.726Z)
Download STIX
Preview STIX
Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, Meterpreter has been likened to Beacon in the Cobalt Strike toolset due to its ability to act as a malicious backdoor. Advanced Persistent Threat (APT) actors have recently been observed creating and using a variant of Meterpreter on the ServiceDesk system, identified as wkHPd.exe. This specific use of Meterpreter allows the threat actors to dominate the internal network of an organization, leveraging various features offered by the malware. When an exploit is successfully executed on a victim system, these actors launch the Meterpreter payload to initiate communication with their actor-controlled systems, typically using a reverse Transmission Control Protocol (TCP) connection. The exploitation of Meterpreter has been linked to Unit 29155 cyber actors and other threat actors who are known to employ similar attack methods after gaining access to systems like Redis. Researchers from AhnLab Security Intelligence Center (ASEC) suggested that attackers may be exploiting inappropriate settings or vulnerabilities present in an implementation of Redis to distribute Meterpreter for nefarious use. These findings underscore the critical need for robust cybersecurity measures to protect against such sophisticated threats.
Description last updated: 2024-11-21T10:46:00.770Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Meterpreter Stager is a possible alias for Meterpreter. The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di
3
wkhpd.exe is a possible alias for Meterpreter. wkhpd.exe is a malicious software (malware) that was created and used by Advanced Persistent Threat (APT) actors. This malware is a variant of Metasploit's Meterpreter, which was specifically designed to exploit the ServiceDesk system. The creation and use of this malware were first identified on Fe
2
Tinymet is a possible alias for Meterpreter. TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your sy
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Exploit
Rat
Vulnerability
Beacon
Trojan
Downloader
Cobalt Strike
Backdoor
Ransomware
Proxy
Lateral Move...
Android
Phishing
Tool
Exploits
PowerShell
Apt
t1587.001
Source
Implant
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bumblebee Malware is associated with Meterpreter. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee havUnspecified
2
The PlugX Malware is associated with Meterpreter. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
The Cobalt Strike Beacon Malware is associated with Meterpreter. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike BeaconUnspecified
2
The Clop Malware is associated with Meterpreter. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
Source Document References
Information about the Meterpreter Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
4 months ago
Securityaffairs
4 months ago
Recorded Future
6 months ago
DARKReading
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
DARKReading
a year ago
CERT-EU
a year ago
DARKReading
a year ago
Recorded Future
a year ago
MITRE
2 years ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
Flashpoint
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago