Threat Research

Unmasking Meduza Stealer Malware: Comprehensive Analysis & Countermeasures

Securonix

Meduza Stealer is a Windows-targeted data thief designed to exfiltrate browser data, wallet extensions, and other sensitive artifacts while using country exclusions and a server check to stay stealthy. Uptycs analyzes its marketing, distribution, workflow, and countermeasures including a YARA rule and memory scanning.

Keypoints

  • The Meduza Stealer targets Windows users/organizations and excludes ten specific countries from its reach.
  • It steals browser data (history, cookies, login data), password manager data, 2FA extensions, and crypto wallet extensions.
  • Attackers market the malware via cybercrime forums and Telegram, claim evasion against top antivirus, and avoid obfuscation to appear legitimate.
  • It features a web panel with subscription plans allowing subscribers to view/download data and see victim details (IP, geo, OS, counts).
  • The malware uses GetUserGeoID/GetGeoInfoA APIs for geolocation and checks a country exclusion list before contacting the C2 server.
  • Operational workflow includes collecting extensive system/browser data, taking screenshots, and uploading data to the attacker server; it also reads registry keys for Telegram/Steam/Discord and enumerates browsers/extensions.

MITRE Techniques

  • [T1082] System Information Discovery – The malware begins to collect system information from the victim’s machine, using a variety of Windows APIs such as GetUserName, GetComputerName, GetCurrentHWProfile, and EnumDisplayDevices. “The malware begins to collect system information from the victim’s machine, using a variety of Windows APIs such as GetUserName, GetComputerName, GetCurrentHWProfile, and EnumDisplayDevices.”
  • [T1113] Screen Capture – A screenshot of the current Windows screen is taken and converted into base64 format. “A screenshot of the current Windows screen is taken and converted into base64 format.”
  • [T1555.003] Credentials from Web Browsers – The stealer reads various browser-related data such as Browser History, Cookies, Login Data, Web Data, Login Data for Account, and Local State. “The stealer reads various browser-related data such as Browser History, Cookies, Login Data, Web Data, Login Data for Account, and Local State.”
  • [T1555.001] Credentials in Password Stores – The stealer enumerates password manager data and 2FA/crypto wallet extension IDs. “The stealer reads the ID details of password manager applications, 2FA, and cryptocurrency wallet extensions.”
  • [T1012] Query Registry – The malware reads Windows Registry keys to discover installed applications (Telegram, Steam, Discord, etc.). “The registry paths mentioned above contain crucial details such as display names, versions, UninstallString, and other pertinent data.”
  • [T1071.001] Web Protocols – It establishes and maintains a connection with the attacker’s server and halts if the server is unreachable. “If the victim’s country isn’t part of this list, the malware tries to establish a connection with the attacker’s server.”
  • [T1041] Exfiltration Over C2 Channel – Collected data is packaged and uploaded to the attacker’s server. “Once this comprehensive set of data is gathered, it is packaged and uploaded, ready to be dispatched to the attacker’s server.”

Indicators of Compromise

  • [File name] – autofill-profiles.json, formhistory.sqlite, logins.json, cookies.sqlite, key4.db, Electrumconfig, Sparrowwallets, Coinomiwallets, Electrum-LTCwallets, and other data files (example 1–2 shown; many more listed in the article)
  • [MD5] – 45f0b444f8de5bf28ffc312212935284, 8058b771b506f0ac785b55e6e16e012e
  • [Registry Key] – HKCUSOFTWAREMicrosoftWindowsCurrentVersionUninstall{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1, HKCUSOFTWAREMicrosoftWindowsCurrentVersionUninstall{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1, HKCUSOFTWAREEtherdyneEtherwallgeth
  • [Registry Key] – HKCUSOFTWAREEtherdyneEtherwallgeth
  • [Extension ID] – bhghoamapcdpbohphigoooaddinpkbai, nkbihfbeogaeaoehlefnkodbefgpgknn (password manager/2FA extensions)
  • [Crypto wallet Extension IDs] – njk examples from the article include nkbihfbeogaeaoehlefnkodbefgpgknn, ejbalbakoplchlghecdalmeeeajnimhm
  • [URL] – https://api.ipify.org (public IP lookup used by Meduza); VirusTotal graph indicating a Germany-based server (server location)
  • [URL] – https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work (source line reference)

Read more: https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint