Threat Research

New Version of Medusa Stealer Released in Dark Web

Securonix

Meduza Stealer 2.2 has been released with broader client support (including browser-based wallets) and enhanced credential/token dumping capabilities, aiming to rival Azorult, Redline, Racoon, and Vidar. The update includes a revamped interface, expanded data collection, and plans for further 2024 upgrades, with distribution via private channels on the Dark Web. #MeduzaStealer #TrueCryptService #Azorult #Redline #Vidar

Keypoints

  • Meduza Stealer 2.2 introduces support for more software clients, including browser-based cryptocurrency wallets, a boosted CC grabber, and expanded password storage dumping across platforms.
  • It targets a wide range of Windows versions (Windows Server 2012/2016/2019/2022 and Windows 10/11) with claims of stable performance.
  • The stealer can extract data from numerous applications and services, including 106 browsers, 107 cryptocurrency wallets, 27 password managers, Telegram, Steam, Discord, OpenVPN, Outlook, and Google Tokens.
  • Upcoming upgrades for 2024 include local storage dump for Chromium-based browsers, Windows Credential Manager and Vault dumps, Google Token Recovery, and improved obfuscation/evasion (with paid options).
  • Meduza has partnered with TrueCrypt Service for crypting to obfuscate payloads and evade detection, with crypting access via a Telegram bot.
  • Meduza Stealer 2.2 is marketed for rent at $199/month, with crypting services and private servers for hosting the C2C panel; new tooling is shared via a private Telegram channel after subscription.

MITRE Techniques

  • [T1005] Data from Local System – Dumps credentials and tokens from various platforms, including Windows Credential Manager and Vault; “additional advanced mechanisms for password storage dump on various platforms to extract credentials and tokens.”
  • [T1555.003] Credentials in Web Browsers – Captures data from browser-based applications; “106 browsers” are supported as part of the data theft scope.
  • [T1003] Credential Dumping – Dumps Windows Credential Manager and Windows Vault data; “Windows Credential Manager and Windows Vault dump.”
  • [T1059.006] Python – Uses Python for the C2C panel/operations; “The C2C panel has been upgraded and remained written in Python.”
  • [T1027] Obfuscated/Compressed Files and Information – Crypting/obfuscation to evade antivirus; “crypting services… to obfuscate malicious payloads and evade AVs.”
  • [T1041] Exfiltration Over C2 Channel – Delivers logs via a C2 channel (Telegram); “Meduza 2.2 communicates via Telegram IM to deliver logs from the infected victim.”

Indicators of Compromise

  • [MD5] – MeduzaV2.2Builder – 5D9E2C18B4A261519E121754CD682B25, EA6562FF5BCCA7182EEBC6F4E83DECAA
  • [MD5] – MeduzaV2.2Panel – EBA71E82CB96780B4711BF898067BA81
  • [File name] – MedusaServer.exe, server.py – as referenced in the MD5 lists (file names appearing alongside hashes)

Read more: https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web