Threat Research

New Medusa Botnet Emerging Via Mirai Botnet Targeting Linux Users – Cyble

Securonix

A Mirai-driven botnet variant is dropping Medusa, a Python-based botnet, onto Linux targets to perform DDoS, ransomware, brute-force attacks, and data exfiltration. The article details the Medusa botnet’s client, C2 communications, attack methods, and the IOCs involved, including hashes and URLs. #MedusaBotnet #Mirai #MedusaStealer #MedusaRansomware #MedusaStealer.cc

Keypoints

  • CRIL identified a Mirai variant that downloads and propagates the Medusa botnet on Linux devices.
  • Medusa is Python-based and retrieved via a medusa_stealer.sh payload executed after Mirai connects to its C2.
  • The Medusa botnet client accepts parameters (method, IP, port, timeout) to coordinate illicit actions like DDoS, ransomware, and brute-force tricks.
  • Medusa can launch DDoS attacks at Layer 3/4/7, using spoofed or non-spoofed IPs, aided by a spoofer() function to randomize sources.
  • MedusaRansomware encrypts user files with AES-256, targets specific extensions, sleeps for 24 hours, and destroys system drives while leaving a ransom note (not fully reliable).
  • The brute-force workflow (ScanWorld) scans Telnet on port 23 with zmap and common credential lists to drop a payload.
  • Exfiltration sends stolen data to medusa-stealer.cc using a POST with a custom user agent; system info is collected prior to transfer.

MITRE Techniques

  • [T1518.001] Security Software Discovery – Not clearly demonstrated in article, but listed under MITRE Techniques;
    “Security Software Discovery”
  • [T1071] Application Layer Protocol – The malware communicates with its C&C IP address;
    “The figure below illustrates the malware’s communication with its Command and Control (C&C) IP address.”
  • [T1095] Non-Application Layer Protocol – The malware can perform DDoS attacks across network layers;
    “The malware can execute the following DDoS attacks on different levels of the network layer.”
  • [T1571] Non-Standard Port – The Medusa botnet client uses a port parameter;
    “Port: Port Number of the Victim.” and “The medusa botnet client receives four parameters: method, IP, port, and timeout.”

Indicators of Compromise

  • [SHA256] Mirai Binary (medusa_stealer.x86) – 2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5c, 87b5ba7d… and 2 more hashes
  • [SHA1] Mirai Binary (medusa_stealer.x86) – 54c67bb062d73ae9fabf5f0e1e2136e05cb6e69b, dc6ea04feb31eb9539f577d7965d0fb925dd7e52
  • [MD5] Mirai Binary (medusa_stealer.x86) – ed64d941fd8603196c0e31ae58c1992d, 14655930fab2319ff9cd5187a0caa242
  • [URL] Medusa Delivering medusa_stealer.sh – hxxp://45.145.167[.]117/medusa_stealer.sh
  • [SHA256] medusa_stealer.sh File – 87b5ba7d…, and 2 more
  • [SHA1] medusa_stealer.sh File – c059eec897c48b81cfc6a6765e176cc88231c31e
  • [MD5] medusa_stealer.sh File – e3a08ffb7106ece9612d3aa8078a8287
  • [SHA256] Malicious Python Script (clientv2.py) – 2f2759b5933f06c9fdbc87ea941e8ef53ea0e3b715afd57de52ed2927d197c33, 3bcbc498de18d91a1d05e428fa94e4145959fbd2
  • [SHA1] Malicious Python Script (clientv2.py) – 088332f4ff6b6a12f094a429d6f60ec500d3d85b, dc6ea04feb31eb9539f577d7965d0fb925dd7e52
  • [MD5] Malicious Python Script (clientv2.py) – 336674857b5ede1e09daeff1a14adedc, 14655930fab2319ff9cd5187a0caa242
  • [URL] Medusa C&C Server URL – medusa-stealer[.]cc

Read more: https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/