The Uptycs Threat Research Team reports the discovery of a new malware called Meduza Stealer that targets Windows users and organizations.
Meduza Stealer is designed to steal data comprehensively, including stealing users' browsing activities and extracting a large amount of browser-related data. Ranging from critical login credentials to valuable browsing history and bookmarks, no digital artifact is safe; even encrypted wallet extensions, password managers, and 2FA extensions are vulnerable. "If left unchecked, those affected could suffer severe consequences, including financial loss and a large-scale data breach that could have far-reaching impacts on the organization."
Administrators of Meduza Stealer have been using "sophisticated marketing tactics" to promote the malware, the report states. They used some of the industry's best-known antivirus software to run static and dynamic scans of the files stolen by Meduza. Screenshots of the detection results later shared said the powerful malware can evade detection by top antivirus solutions.
The cunning of the Meduza Stealer lies in its operational design. This binary is not obfuscated, making it harder to identify and track down. Additionally, it tries to establish a connection with the attacker's server before it starts stealing data from the victim's machine. If the connection fails, it terminates immediately, making it harder to track down.
To lure potential customers, it offered access to stolen data through a web panel; different subscription options were shown to potential customers: $199 for one month, $399 for three months, or a lifetime plan. Subscribing gives users full access to the Meduza Stealer web panel, which provides information such as IP addresses, computer names, country names, number of stored passwords, wallets and cookies on the infected computer. Subscribers can then download or delete the stolen data directly from the web panel, while the data deletion feature guarantees that the information cannot be used by other subscribers.
Once successfully infiltrated into a machine, the Meduza Stealer kicks into action. The first step it performs is a geolocation check, if the victim's location is within the stealer's predefined list of excluded countries (Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Uzbekistan, Armenia, Kyrgyzstan, Moldova, and Tajikistan) Stan), the malware operation is immediately aborted.
But if it's not on the list, Meduza Stealer checks to see if the attacker's server is active. Stealers also immediately terminate their activities if the server becomes inaccessible. If both location checks and server accessibility are favorable, the stealer proceeds to collect a wealth of information; including collecting system information, browser data, password manager details, mining-related registry information, and installed game IDs. details.
The variety of data types collected by the malware suggests that the infection has a broad potential impact; as it targets not only personal and financial data, but also specific systems and potentially proprietary information, the researchers noted. The collected data is quickly uploaded to the attacker's servers, exacerbating the speed with which breaches can occur and the urgent need for effective detection and protection measures.
To defend against malware attacks such as Meduza Stealer, it is recommended to:
- Install regular updates to the operating system, browser, and installed applications to patch vulnerabilities that malware can exploit.
- Be careful when downloading files or opening email attachments, especially files from unknown sources or opening email attachments. Scan the file with security software before opening it.
- Use strong and unique passwords for all accounts, including browsers, email, and cryptocurrency wallets. Consider using a password manager to securely store and manage passwords.
- Enable 2FA whenever possible to add an extra layer of security to accounts. This helps prevent unauthorized access even if the password is compromised.
- Only install browser extensions from trusted sources. Regularly check for and remove unnecessary or suspicious extensions to minimize the risk of malware interference.
- Keep an eye on financial accounts, including cryptocurrency wallets, and regularly review transaction histories for any suspicious activity. Immediately report any unauthorized transactions or security breaches.
More details can be found on the official blog .