Meh – Oddly Named Malware Family Attacks Spain En Masse

Saturday, September 26th, 2020 |

In mid-June, Avast researchers noticed a surge of Meh and MehCrypter infections in Spain, with several thousand attempts were being blocked a day. Meh and MehCrypter are named after the contents of a file created once the malware has been run. Researchers used this to name this malware family.

The malware named Meh is, at its core, a password stealer. MehCrypter is a multiple stager used as a loader to run a pre-compiled AutoIt script, which then downloads additional malware and files to the infected host.

MehCryptor is a crypter that consists of multiple stages and is distributed as a compiled AutoIt script. The script has random data prepended to it to help obfuscate the file, while during execution the data is just ignored. Once the script is executed it then interpreted by the AutoIt interpreter which yields a basic script to concatenate hard coded hexadecimal strings to create a Portable Executable file (MehDropper), which is then loaded.

The MehDropper is loaded into memory where it then reaches out to the attacker’s command-and-control server to download additional files. It downloads 3 files: pe.bin (Meh password stealer), base.au3 (a slightly modified version of meh dropper which uses shellcode to create the PE file) and a copy of autoit.exe to load the newly downloaded files.

Sources:

Indicators of Compromise (IOCs):

  • SHA-256
    • 94c2479d0a222ebdce04c02f0b0e58ec433b62299c9a537a31090bb75a33a06e
      • Initial AutoIt script
    • 43bfa7e8b83b54b18b6b48365008b2588a15ccebb3db57b2b9311f257e81f34c
      • Stage 1 – Dropper
    • 34684e4c46d237bfd8964d3bb1fae8a7d04faa6562d8a41d0523796f2e80a2a6
      • Stage 2 – Shellcode
    • 2256801ef5bfe8743c548a580fefe6822c87b1d3105ffb593cbaef0f806344c5
      • Stage 3 – Shellcode 2
    • 657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282
      • Stage 4 – Meh stager
    • 66de6f71f268a76358f88dc882fad2d2eaaec273b4d946ed930b8b7571f778a8
      • pe.bin
    • 75949175f00eb365a94266b5da285ec3f6c46dadfd8db48ef0d3c4f079ac6d30
      • base.au3
    • 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
      • autoit.exe
  • File Names:
    • C:\testintel2\pe.bin
    • C:\testintel2\base.au3
    • C:\testintel2\autoit.exe
    • C:\testintel2\a.txt
    • C:\programdata\intel\wireless
  • Network Indicators
    • Downloader URLs
      • http://83[.]171.237.233/s2/pe.bin
      • http://83[.]171.237.233/s2/base.au3
      • http://83[.]171.237.233/s2/autoit.exe
    • C&C Servers:
      • http://83[.]171.237.233

Share this:

Previous
View All
Next

Not Sure Where to Start?

What is Cybersecurity ?
How Do Cyber Attacks Happen ?
How Does Atlas Work ?
Who is Atlas ?