skip to Main Content

Meterpreter malware, used by cybercrime and state-sponsored hackers, unveiled

Meterpreter is one of the most dangerous malware used by cybercrime and state-sponsored hackers. The Spinx wrote his own version of the malicious code to understand how it works 

Meterpreter is one of the most dangerous malware used by cybercrime and state-sponsored hackers, as Russian Turla, to gain the control of a targeted system. But why? A cyber security researcher nicknamed The Sphinx wrote is own version of the malicious code to understand how it works. In fact it’s used for post exploit operations, because is stealthy and light but really powerful. Meterpereter, according to a blog post by The Sphinx on ZetaBay, is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more. The malware was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3.

The workflow of the malware

The Sphinx explains also the workflow of Meterpreter: the target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc. The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. The malware core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. Lastly, the malicious code loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.

The cyber security researcher: Meterpreter is Stealthy, Powerful and Extensible

The cyber security researcher underlines that Meterpreter is so dangerous because of three elements: is Stealthy, Powerful and Extensible. On the firs issue, the malware resides entirely in memory and writes nothing to disk. No new processes are created as the code injects itself into the compromised process and can migrate to other running processes easily. By default, it uses encrypted communications (Nothing new but always appreciated). All of these provide limited forensic evidence and impact on the victim machine. On the second, it utilizes a channelized communication system ( It can be used as “botnet” ) and the TLV protocol has few limitations. 

Feautures can be loaded without having to rebuild the malware

Meterpreter is Extensible because features can be augmented at runtime and are loaded over the network. The Sphinx add that they can be added to the malware without having to rebuild it; just by loading extensions. Furthermore the client uploads the DLL over the socket and the server running on the victim loads the DLL in-memory, and initializes it. Moreover, the new extension registers itself with the server, the client on the attackers machine loads the local extension API and can now call the extensions functions. This entire process is seamless and takes approximately 1 second to complete. 

Here is Covenant, the Sphinx version of the malicious code

The cyber security expert coded is version of Meterpreter, dubbed Covenant, using Python 2.7. Here is a video of what the final program looks like. The Spinx tells to remember that “this is a Proof Of Concept because if we should code the entire malware we’ll use days instead of minute”.


Back To Top