New malware dubbed Meduza Stealer can steal data from a lot of browsers, password managers and cryptocurrency wallets, in line with a report from cybersecurity firm Uptycs. The malware was developed to focus on Home windows working techniques.
Uptycs analysis signifies that “no particular assaults have been attributed thus far” although, in all probability as a result of Meduza Stealer is new malware. It’s extremely suspected that Meduza Stealer is unfold by way of the regular strategies used for data stealers, comparable to compromised web sites spreading the malware and phishing emails.
Be taught what occurs when Medusa Stealer is launched, how the malware is being promoted to cybercriminals and tips about defending your organization from this cybersecurity risk.
Leap to:
What occurs when Meduza Stealer is launched?
As soon as Meduza Stealer is launched, the malware begins checking for its geolocation by utilizing the Home windows GetUserGeoID operate. This operate appears to be like for a rustic worth based mostly on the system’s settings and never actual geolocation data. The malware stops working if the outcome signifies one among these 10 international locations: Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Uzbekistan, Armenia, Kyrgyzstan, Moldova and Tajikistan.
The following step for the malware consists of checking if it could attain the attacker’s server earlier than beginning to accumulate primary data on the contaminated system, comparable to pc identify, CPU/GPU/RAM/{Hardware} particulars, working system model’s exact construct particulars, time zone and present time, username, public IP tackle, execution path and display decision. Meduza Stealer additionally makes a screenshot. Then, the malware is prepared for its stealing operations (Determine A).
Determine A
Meduza Stealer’s large theft capabilities
Browsers
Meduza Stealer hunts for information within the Person Information folder; it’s trying to find browser-related data such because the browser historical past, its cookies, login and net information. An inventory of 97 browser variants is embedded within the malware, exhibiting an enormous effort to not miss any information from browsers (Determine B). Chrome, Firefox and Microsoft Edge are simply three of the browsers on the record.
Determine B
Password managers
Nineteen password managers are focused by Meduza Stealer based mostly on their Extension ID (Determine C). LastPass, 1Password and Authy are simply three of the password managers listed.
Determine C
The malware particularly targets extensions related to two-factor authentication and password managers with the intention of extracting information; these extensions possess important data and will include vulnerabilities. By means of having access to 2FA codes or exploiting weaknesses in password supervisor extensions, the attacker would possibly be capable of evade safety protocols and obtain unauthorized entry to person accounts.
Cryptocurrency wallets
There are 76 cryptocurrency wallets at the moment focused by Meduza Stealer.
From Uptycs Menace Analysis, “The malware makes an attempt to extract cryptocurrency pockets extensions from net browsers by way of software program plugins or add-ons that allow customers to conveniently handle their cryptocurrency property instantly inside net browsers like Chrome or Firefox. These extensions present performance for duties comparable to monitoring account balances, conducting cryptocurrency transactions particulars.”
The malware will get configuration and associated information from totally different Home windows Registry keys:
- HKCUSOFTWAREEtherdyneEtherwallgeth
- HKCUSOFTWAREmonero-projectmonero-core
- HKCUSOFTWAREDogecoinCoreDogecoinCore-Qt
- HKCUSOFTWAREBitcoinCoreBitcoinCore-Qt
- HKCUSOFTWARELitecoinCoreLitecoinCore-Qt
- HKCUSOFTWAREDashCoreDashCore-Qt
Extra functions focused
The Telegram Desktop utility is being scanned by the malware, which appears to be like for entries within the Home windows registry which are particular to this utility.
The malware additionally appears to be like for the Steam gaming system utility information that could be saved within the Home windows registry. If Steam is put in on the pc, the information that may be fetched from it contains login information, session data, user-specific settings and different configuration information.
Discord is one other utility focused by the malware, which accesses the Discord folder and collects data comparable to configuration and user-specific information.
How Meduza Stealer is promoted to cybercriminals
In keeping with Uptycs researchers, the administrator of Meduza Stealer has been utilizing “subtle advertising methods” to advertise the malware on a number of cybercriminal marketplaces and boards.
For starters, the actor doesn’t hesitate to supply display captures of a giant portion of antivirus software program detection outcomes, exhibiting that just one antivirus answer (ESET) out of 26 detect it, whether or not that’s statically or dynamically.
To draw extra clients, entry to stolen information is obtainable by means of an online panel (Determine D). Completely different subscription choices are proven to the potential buyer: one month for $199 USD, three months for $399 USD or a lifetime plan.
Determine D
As soon as the person has subscribed, the individual has full entry to the Meduza Stealer net panel, which supplies data comparable to IP addresses, pc names, nation identify, depend of saved passwords, wallets and cookies on contaminated computer systems. Then, the subscriber can obtain or delete the stolen information instantly from the net panel. This unprecedented function may be very helpful as a result of the information deletion ensures that no different subscriber will be capable of use that data as a result of it’s instantly taken off.
keep secure from this cybersecurity risk
It’s strongly suggested to have all working techniques and software program updated and patched to keep away from being compromised by a typical vulnerability. Browsers, specifically, have to be updated; additionally, run as few plugins as potential to scale back the assault floor.
It’s additionally suggested to deploy multifactor authentication the place potential so an attacker can’t acquire entry to company assets, even when they’re in possession of legitimate credentials.
Safety options have to be deployed on endpoints and servers, with monitoring capabilities to detect threats. It’s additionally suggested to run YARA detection guidelines on company endpoints, such because the one offered by Uptycs to detect the Meduza Stealer.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.