While looking at sites on hunter.how, a few interesting results showed up which are C2 (Command & Control) panels for Meduza Stealer; a member of the Aurora Stealer family.
As expected, Meduza Stealer's operators run 2 Telegram channels to advertise their RaaS platform and to publish updates.
From the above Telegram groups, we can conclude that the RaaS groups have approximately 1,400 members/operators, and that Meduza Stealer can exfiltrate information from browsers, crypto wallets, Telegram, Steam & Discord tokens, password managers and OpenVPN configs.
We can also see that the PE file is compiled from C++, is statically linked and has a size of ~600KB (assuming the PE hasn't been "pumped", which is also a feature available from the C2 panel).
Additional capabilites include:-
- 32/64 bit compatibility
- AV Evasion
- Self destruction
- Debugger detection
- File size manipulation
IOCs and Detection
From the shared antivirus scan results on the Telegram groups, I got 3 MD5 hashes.
The possible file hashes for Medusa.exe which were not reported on VirusTotal are:-
- 7b48e556ec6b4aa1be1343a923bc00e1
- 276d20ca34eb6caa7bbbe40326869dc
- 9d4f296762c2f907d9d5fb22a8930dcb
"Unpumped" PE file size: ~600KB
Back to the C2 panels, I found 52 of them using hunter.how and urlscan.io. They seem to have consistent attributes which helped in finding them:-
- Title: Medusa Stealer
- Script: index-zA6Sahgt.js
- Image: snake-lPgznXqp.png
- Image: profile-bXjbzb05.png
- Font: Comfortaa-VariableFont_wght-R_5AX4pn.ttf
- Image: Meduza-Xf1ectds.png
- Font: ds-greece-eWgboWnd.ttf
- Stylesheet: index-meiT9fTn.css
A sample scan of one of the C2 panels can be found here along with other helpful information.
Taking a look at where the C2 panels are hosted, the majority seem to be hosted in Germany, with fewer in Russia, Sweden and France.
Rules for detected samples can be found on MalwareBazaar, but for the sake of completeness, the following YARA rule matches the undetected hashes.
import "hash"
rule MeduzaStealer {
meta:
description = "Detects Meduza Stealer"
date = "28/2/2024"
strings:
$m0 = { 4D 5A } // MZ Header
$hash0 = "7b48e556ec6b4aa1be1343a923bc00e1" // Hash 1
$hash1 = "276d20ca34eb6caa7bbbe40326869dc" // Hash 2
$hash2 = "9d4f296762c2f907d9d5fb22a8930dcb" // Hash 3
condition:
$m0 at 0 and filesize >= 600KB and filesize <= 1MB and hash.md5 any of ($hash0, $hash1, $hash2)
}
Note: File hashes can easily be changed, and are not reliable methods for detection. For better detection, analysis of updated samples is required to find API calls, strings, file names, file sizes and communication signatures.
Diving deeper
From both Telegram channels that I found, it seemed that the "reseller" goes by the name MonkeyCents, who I also found to be operating another RaaS group called "GhostLocker".
A detailed research about GhostLocker can be found on Uptycs' website.