New malware dubbed Meduza Stealer can steal data from numerous browsers, password managers and cryptocurrency wallets, in accordance with a report from cybersecurity firm Uptycs. The malware was developed to focus on Home windows working methods.
Uptycs analysis signifies that “no particular assaults have been attributed thus far” although, in all probability as a result of Meduza Stealer is new malware. It’s extremely suspected that Meduza Stealer is unfold by way of the ordinary strategies used for data stealers, comparable to compromised web sites spreading the malware and phishing emails.
Study what occurs when Medusa Stealer is launched, how the malware is being promoted to cybercriminals and recommendations on defending your organization from this cybersecurity risk.
Bounce to:
What occurs when Meduza Stealer is launched?
As soon as Meduza Stealer is launched, the malware begins checking for its geolocation through the use of the Home windows GetUserGeoID operate. This operate seems to be for a rustic worth based mostly on the system’s settings and never actual geolocation data. The malware stops working if the end result signifies one in all these 10 international locations: Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Uzbekistan, Armenia, Kyrgyzstan, Moldova and Tajikistan.
The following step for the malware consists of checking if it might probably attain the attacker’s server earlier than beginning to accumulate primary data on the contaminated system, comparable to laptop title, CPU/GPU/RAM/{Hardware} particulars, working system model’s exact construct particulars, time zone and present time, username, public IP handle, execution path and display decision. Meduza Stealer additionally makes a screenshot. Then, the malware is prepared for its stealing operations (Determine A).
Determine A
Meduza Stealer’s large theft capabilities
Browsers
Meduza Stealer hunts for knowledge within the Person Knowledge folder; it’s looking for browser-related data such because the browser historical past, its cookies, login and internet knowledge. An inventory of 97 browser variants is embedded within the malware, displaying an enormous effort to not miss any knowledge from browsers (Determine B). Chrome, Firefox and Microsoft Edge are simply three of the browsers on the checklist.
Determine B
Password managers
Nineteen password managers are focused by Meduza Stealer based mostly on their Extension ID (Determine C). LastPass, 1Password and Authy are simply three of the password managers listed.
Determine C
The malware particularly targets extensions related to two-factor authentication and password managers with the intention of extracting knowledge; these extensions possess important data and will include vulnerabilities. By having access to 2FA codes or exploiting weaknesses in password supervisor extensions, the attacker would possibly be capable of evade safety protocols and obtain unauthorized entry to person accounts.
Cryptocurrency wallets
There are 76 cryptocurrency wallets presently focused by Meduza Stealer.
From Uptycs Menace Analysis, “The malware makes an attempt to extract cryptocurrency pockets extensions from internet browsers by way of software program plugins or add-ons that allow customers to conveniently handle their cryptocurrency belongings instantly inside internet browsers like Chrome or Firefox. These extensions present performance for duties comparable to monitoring account balances, conducting cryptocurrency transactions particulars.”
The malware will get configuration and associated knowledge from totally different Home windows Registry keys:
- HKCUSOFTWAREEtherdyneEtherwallgeth
- HKCUSOFTWAREmonero-projectmonero-core
- HKCUSOFTWAREDogecoinCoreDogecoinCore-Qt
- HKCUSOFTWAREBitcoinCoreBitcoinCore-Qt
- HKCUSOFTWARELitecoinCoreLitecoinCore-Qt
- HKCUSOFTWAREDashCoreDashCore-Qt
Extra purposes focused
The Telegram Desktop software is being scanned by the malware, which seems to be for entries within the Home windows registry which are particular to this software.
The malware additionally seems to be for the Steam gaming system software knowledge that is likely to be saved within the Home windows registry. If Steam is put in on the pc, the information that may be fetched from it contains login knowledge, session data, user-specific settings and different configuration knowledge.
Discord is one other software focused by the malware, which accesses the Discord folder and collects data comparable to configuration and user-specific knowledge.
How Meduza Stealer is promoted to cybercriminals
Based on Uptycs researchers, the administrator of Meduza Stealer has been utilizing “subtle advertising methods” to advertise the malware on a number of cybercriminal marketplaces and boards.
For starters, the actor doesn’t hesitate to supply display captures of a big portion of antivirus software program detection outcomes, displaying that just one antivirus resolution (ESET) out of 26 detect it, whether or not that’s statically or dynamically.
To draw extra prospects, entry to stolen knowledge is obtainable by an online panel (Determine D). Completely different subscription choices are proven to the potential buyer: one month for $199 USD, three months for $399 USD or a lifetime plan.
Determine D
As soon as the person has subscribed, the individual has full entry to the Meduza Stealer internet panel, which gives data comparable to IP addresses, laptop names, nation title, depend of saved passwords, wallets and cookies on contaminated computer systems. Then, the subscriber can obtain or delete the stolen knowledge instantly from the net panel. This unprecedented characteristic may be very helpful as a result of the information deletion ensures that no different subscriber will be capable of use that data as a result of it’s instantly taken off.
The right way to keep protected from this cybersecurity risk
It’s strongly suggested to have all working methods and software program updated and patched to keep away from being compromised by a standard vulnerability. Browsers, particularly, have to be updated; additionally, run as few plugins as potential to cut back the assault floor.
It’s additionally suggested to deploy multifactor authentication the place potential so an attacker can not achieve entry to company assets, even when they’re in possession of legitimate credentials.
Safety options have to be deployed on endpoints and servers, with monitoring capabilities to detect threats. It’s additionally suggested to run YARA detection guidelines on company endpoints, such because the one offered by Uptycs to detect the Meduza Stealer.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.
