A new class of Windows info-stealers is on the loose, stealing highly sensitive information and employing ingenious methods to evade detection by security software.
The Uptycs cybersecurity researcher who discovered the malware said its sole purpose, dubbed Meduza Stealer, is “full-scale data theft” as it scours “users’ browsing activity, extracting large amounts of browser-related data.”
Crypto wallet extensions, password managers, and 2FA extensions are also vulnerable, the security firm added. To avoid detection, Meduza terminates itself if the connection to the threat actor’s server fails.
Interestingly, it also terminates itself if the victim’s system is located in certain countries, such as the Commonwealth of Independent States (CIS) and Turkmenistan.
Meduza also collects data from Windows registry entries and installed game lists on targeted endpoints, indicating its far-reaching information extraction goals. The web panel interface also provided the attackers with details about what Meduza had stolen, as well as the ability to download or delete said data.
“This in-depth feature set demonstrates the complexity of Meduza Stealer, and the effort its creators were willing to go to ensure its success,” said Uptycs researchers.
It’s currently for sale on darknet forums and on encrypted messaging app Telegram for $199 a month for a subscription and $1,199 for a lifetime license.
The provision of malicious tools-as-a-service is fast becoming the norm, allowing criminals to carry out cyberattacks without technical knowledge—they simply rent the software to deal damage to others.
Malware developers are increasingly using dropper-as-a-service (DaaS) platforms, while ransomware-as-a-service (RaaS) models are becoming more popular, also due to cybercrime, according to research from antivirus firm Sophos. Molecules are easy to use them.