Fortinet has identified a new Meduza Stealer variant that exploits CVE-2024-21412 and is delivered via malicious PDFs to bypass Windows SmartScreen. The stolen data is exfiltrated to a command-and-control server, with regional targeting including North America, Spain, and Thailand. #MeduzaStealer #CVE202421412 #GoDaddy #Fortinet #SmartScreen #PDF #NorthAmerica #Spain #Thailand
Keypoints
- Malware Variant: Meduza Stealer exploiting CVE-2024-21412.
- Delivery Method: Malicious PDF files bypassing SmartScreen warnings.
- Data Exfiltration: Stolen data sent to a command-and-control server.
- Target Regions: North America, Spain, and Thailand.
- Indicators of Compromise (IoCs): 16 IoCs comprising 13 domain names and 3 IP addresses, with many domains registered via GoDaddy and in the U.S.
- Additional Findings: Discovery of 9 email-connected domains and 18 additional IP addresses linked to threats.
- Research Availability: Full findings and artifacts available for download on their website.
MITRE Techniques
- [T1203] Exploitation of Vulnerability β Exploits CVE-2024-21412 to deliver malware. βExploits CVE-2024-21412 to deliver malware.β
- [T1071] Command and Control β Data exfiltration to a command-and-control server. βData exfiltration to a command-and-control server.β
- [T1074] Data Staged β Stolen data is prepared for exfiltration. βStolen data is prepared for exfiltration.β
Indicators of Compromise
- [Domain] IoCs include 13 domain names; GoDaddy-registered domains comprise 69% of IoCs, and nine email-connected domains were discovered.
- [IP Address] IoCs include 3 initial IP addresses; 18 additional IP addresses discovered through DNS lookups and threat intelligence.
- [Email Address] IoCs include four historical email addresses in WHOIS; two public email addresses identified.
Read more: https://circleid.com/posts/20240823-a-closer-look-at-the-meduza-stealer-through-a-dns-deep-dive