Researchers have discovered a new information stealer for Windows known as Meduza Stealer, which utilizes sophisticated marketing strategies to promote its malicious capabilities.
This malware is capable of stealing browsing activities and extracting a wide range of browser-related data, including login credentials, browsing history, and bookmarks. Additionally, it targets crypto wallet extensions, password managers, and 2FA extensions.
While the authors actively develop the malware to evade detection, no specific attacks have been attributed to Meduza Stealer thus far. The malware admin has stated that their operations do not involve ransom activities, and the code does not infect systems in the Commonwealth of Independent States (CIS) region. Furthermore, the stealer prevents execution if the command-and-control (C2) server is unreachable.
Researchers have observed that the binary does not employ obfuscation techniques, but the malicious code maintains a low detection rate.
One concerning aspect highlighted in the analysis published by Uptycs is that a significant portion of antivirus software has proven ineffective against the Meduza stealer binary, failing to detect it statically or dynamically. The marketing strategy employed by the malware’s administrator has proven to be a game-changer, primarily due to the unique pricing model and added control provided to subscribers.
Access to the stolen data is offered through a management console, and the malware collects various types of information, including system details, browser information, password manager data, miner-related registry information, and installed games information.
Meduza Stealer offers different subscription plans, ranging from one-month to lifetime access. It can target 19 password manager apps, 76 crypto wallets, the Steam client, and Discord.
The stealer specifically extracts ID details from password manager applications, 2FA, and cryptocurrency wallet extensions, which are of particular interest due to their potential vulnerability and valuable information. The malware manages a predefined list of browsers to target and enumerates the “User Data” folder to access various browser-related data, such as history, cookies, login data, and more. The Uptycs report provides Indicators of Compromise (IoCs) to aid in detecting and preventing Meduza Stealer attacks.
