Meterpreter

Malware updated a month ago (2024-09-06T09:17:43.438Z)

Download STIX

Preview STIX

Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a variant of this malware on the ServiceDesk system, where it is listed as wkHPd.exe. Meterpreter allows for the execution of code in memory, giving the threat actor control over the infected system and enabling them to exploit the internal network of an organization using various features offered by the malware. The malware has been deployed by attackers after successful exploitation of systems, establishing communication through reverse TCP connections to their infrastructure. The threat actor can install Meterpreter Stager, a type of module that acts as a malicious backdoor, with the installation method determining the module type. Meterpreter is akin to the Beacon tool in Cobalt Strike, another prominent offensive security tool. Other notable tools include Viper, AsyncRAT, QuasarRAT, PlugX, ShadowPad, and DarkComet. Researchers from AhnLab Security Intelligence Center (ASEC) highlighted that attackers are likely exploiting inappropriate settings or vulnerabilities present in Redis implementations to distribute Meterpreter for nefarious purposes. In particular, an 8-year-old version of the Redis open-source database server is being used to expose exploits within a system, potentially allowing for full system takeover and distribution of other malware. Furthermore, some installers have been found to carry a malicious Python payload that, when launched, pulls down a Meterpreter remote shell and Cobalt Strike beacons.

Description last updated: 2024-09-06T09:15:33.380Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Meterpreter Stager is a possible alias for Meterpreter. The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di	3
wkhpd.exe is a possible alias for Meterpreter. wkhpd.exe is a malicious software (malware) that was created and used by Advanced Persistent Threat (APT) actors. This malware is a variant of Metasploit's Meterpreter, which was specifically designed to exploit the ServiceDesk system. The creation and use of this malware were first identified on Fe	2
Tinymet is a possible alias for Meterpreter. TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your sy	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Exploit

Rat

Vulnerability

Beacon

Trojan

Downloader

Cobalt Strike

Backdoor

Ransomware

Proxy

Lateral Move...

Android

Phishing

Tool

Exploits

PowerShell

Apt

t1587.001

Clop

Source

Implant

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Bumblebee Malware is associated with Meterpreter. Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam	Unspecified	2
The PlugX Malware is associated with Meterpreter. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2
The Cobalt Strike Beacon Malware is associated with Meterpreter. Cobalt Strike Beacon is a type of malware that has been linked to various ransomware activities. This malicious software has been loaded by HUI Loader in several instances, with different files such as mpc.tmp, dlp.ini, and vmtools.ini being used. A unique feature of this Cobalt Strike Beacon shellc	Unspecified	2

Source Document References

Information about the Meterpreter Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Russia-linked GRU Unit 29155 targeted critical infrastructure
Recorded Future	3 months ago	2023 Adversary Infrastructure Report \| Recorded Future
DARKReading	6 months ago	Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously
CERT-EU	7 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	7 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #computerhacker - Am I Hacker Proof
CERT-EU	7 months ago	Cyberattack On Russian Election Systems Amid 2024 Elections \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	9 months ago	Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw
CERT-EU	9 months ago	Hacking Blackpearl. Machine: Blackpearl \| by Rahul Ravishankar \| Jan, 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	9 months ago	Who Is Behind Pro-Ukrainian Cyberattacks on Iran?
Recorded Future	9 months ago	2023 Adversary Infrastructure Report \| Recorded Future
MITRE	2 years ago	FIN7 Revisited: Inside Astra Panel and SQLRat Malware
CERT-EU	9 months ago	Remote Command Injection Vulnerability For Sale On Dark Web
Unit42	10 months ago	From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
CERT-EU	10 months ago	Top 20 Most Popular Hacking Tools in 2023
Flashpoint	2 years ago	No title
CERT-EU	a year ago	MaccaroniC2 - A PoC Command And Control Framework That Utilizes The Powerful AsyncSSH
CERT-EU	a year ago	Researchers Uncover RaaS Affiliate Distributing Multiple Ransomware Strains
CERT-EU	a year ago	ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers
CERT-EU	a year ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
CERT-EU	a year ago	From GitHub Leak to Pwn: A Hacker’s Kill Chain