Cyber Security Threat Summary:
A newly discovered information-stealing malware known as Meduza Stealer has been identified by researchers. The creators of this malware utilize advanced marketing tactics to promote its distribution. Meduza Stealer is designed to extract various browser-related data, such as login credentials, browsing history, and bookmarks, thereby compromising the victim’s browsing activities. Additionally, the malware targets specific extensions related to cryptocurrency wallets, password managers, and two-factor authentication (2FA). The authors of Meduza Stealer actively work on developing the malware in order to evade detection. However, no specific attacks have been attributed to this malware as of now.

“The malware admin declared that their operations do not involve any ransom activities. Like other malware, the malicious code doesn’t infect systems in the Commonwealth of Independent States (CIS region). The stealer prevents execution if the C2 server is unreachable. The researchers at Uptycs, who discovered the malware, noticed that the binary does not employ obfuscation techniques, but the malicious code has a low detection rate. “What’s more concerning is that a large portion of antivirus software has proven ineffective against the Meduza stealer binary, either failing to detect it statically or dynamically” reads the analysis published by Uptycs. “But the real game-changer in their marketing strategy has been the pricing model and the added control provided to subscribers.” The administrator offers access to the stolen data through a management console. The malware also collects a variety of data, including system info, browser info, password manager info, miner related registry info, and installed games info” (SecurityAffairs, 2023).

Security Officer Comments:
The Meduza Stealer author provides various subscription plans, including options for one-month, three-month, and lifetime access. The stealer is capable of targeting a wide range of applications including 19 password manager apps, 76 crypto wallets, the Steam client, and Discord.

According to analysis, the stealer focuses on extracting ID details from password manager applications, two factor authentication, and cryptocurrency wallet extensions. These specific targets are of great interest to attackers as they often contain valuable information and may possess vulnerabilities that can be exploited to gain unauthorized access to user accounts. The stealer maintains a predefined list of supported browsers. It scans the “User Data” folder to retrieve various browser-related data, such as browser history, cookies, login data, web data, login data for accounts, and local state.

Suggested Correction(s):
Uptycs has published the following mitigations, and IOCs to defend against malware like the Meduza Stealer:

• Regularly install updates for your operating system, browsers, and installed applications to patch vulnerabilities that malware can exploit.
• Be cautious when downloading files or opening email attachments, especially from unknown sources. Scan files using security software before opening them.
• Employ strong and unique passwords for all your accounts, including browsers, email, and cryptocurrency wallets. Consider using a password manager to securely store and manage your passwords.
• Enable 2FA wherever possible to add an extra layer of security to your accounts. This helps protect against unauthorized access, even if passwords are compromised.
• Only install browser extensions from trusted sources. Regularly review and remove unnecessary or suspicious extensions to minimize the risk of malware interference.
• Keep a close eye on your financial accounts, including cryptocurrency wallets, and regularly review transaction history for any suspicious activities. Report any unauthorized transactions or security breaches immediately.

IOCs
https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work

Link(s):
https://securityaffairs.com/148059/cyber-crime/meduza-stealer-malware.html