'Meduza Stealer' malware targets Windows users for data theft

Steals information including login credentials, browsing history, bookmarks and even installed games

Meduza Stealer malware focuses on infiltrating password managers, browsers, and cryptocurrency wallets

Image:
Meduza Stealer malware focuses on infiltrating password managers, browsers, and cryptocurrency wallets

Cybersecurity researchers have discovered a new Windows-based malware strain dubbed "Meduza Stealer," exhibiting advanced data theft techniques and a design enabling it to evade detection.

The Uptycs Threat Research team came across the malware while monitoring dark web forums and Telegram channels.

They named it "Meduza Stealer" after its creator, a threat actor known as Meduza.

"Crafted by an enigmatic actor known as 'Meduza,' this malware has been specifically designed to target Windows users and organisations, currently sparing only ten specific countries from its reach," Uptycs wrote.

Those countries are notably all geographically and politically close to Russia.

"The Meduza Stealer has a singular objective: comprehensive data theft. It pilfers users' browsing activities, extracting a wide array of browser-related data."

Even password managers, crypto wallet extensions and two-factor authentication (2FA) extensions are susceptible, the researchers warned.

Meduza Stealer's creator has been promoting the new malware by demonstrating its ability to effectively bypass detection by well-known antivirus software.

The main objective appears to be data theft.

Uptycs reports that Meduza Stealer is capable of collecting data from 19 password manager apps, 76 crypto wallets and 95 web browsers, as well as applications like Discord and Steam.

Login credentials, browsing history, bookmarks and even a list of installed games are among the data collected.

Furthermore, the malware can gather system-related information from compromised devices, including the computer's name, system build, CPU specifications, GPU information, geographical location, hardware ID details, public IP address, RAM specifications, screen resolution and time zone.

Threat path

Upon successfully infiltrating a computer, the malware first performs a geolocation check.

It ceases its operation if the check reveals that the target user is located in Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Uzbekistan, Armenia, Kyrgyzstan, Moldova or Tajikistan.

If the location is not within the listed countries, the malware verifies the accessibility of the attacker's server. If the server is not reachable, the stealer terminates its activity.

If both conditions are met, Meduza Stealer proceeds with its data gathering, then uploads it to the attacker's server.

As stated by Uptycs researchers, the Meduza Stealer admin has employed "sophisticated marketing strategies" to promote the malware across various cybercriminal marketplaces and forums.

In order to entice potential customers, the admin offers access to stolen data through a dedicated web panel.

Various subscription options are presented to prospective buyers, including a one-month plan for $199, a three-month plan for $399 or a lifetime plan.

Once a user subscribes, they gain complete access to the Meduza Stealer web panel.

"This feature allows subscribers to download or delete the stolen data directly from the web page, granting them an unprecedented level of control over their ill-gotten information," writes Uptycs.

Harsh consequences

Leaving Meduza Stealer unaddressed can result in severe consequences for affected individuals and organisations.

"While Meduza may be a recent addition to the realm of cybercrime and no specific attacks have been attributed to date, the risks it poses shouldn't be underestimated," the researchers warn.

Uptycs advises users to follow several precautionary measures to avoid falling victim to Meduza Stealer.

These include consistently installing updates for computers and applications; exercising caution when downloading files; utilising strong and unique passwords; and refraining from installing suspicious browser extensions.

Implementing these practices can boost cybersecurity and reduce the likelihood of being affected by Meduza Stealer.