A new Windows infostealer is on the loose, stealing highly sensitive information and featuring clever ways to evade detection by security software.
Known as the Meduza Stealer, its sole purpose is “comprehensive data theft,” according to cybersecurity researchers at Uptycs who discovered the malware, as it scours “users’ browsing activities, extracting a wide array of browser-related data.”
The security firm added that crypto wallet extensions, password managers and 2FA extensions are also vulnerable. In order to avoid detection, Meduza terminates itself if connection with the threat actor’s server fails.
Self-termination
Interestingly, it also self-terminates if the victim’s system is located in certain countries, such as those within the Commonwealth of Independent States (CIS) and Turkmenistan.
Meduza also gathers data from Windows Registry entries and a list of installed games on the target’s endpoint, indicating its far-reaching information extraction goals. A web panel interface also gives the attacker details on what Meduza has managed to steal, as well as the ability to download or delete said data.
According to the researchers at Uptycs, “This in-depth feature set showcases the sophisticated nature of the Meduza Stealer and the lengths its creators are willing to go to ensure its success.”
It is currently for sale on dark web forums and the encrypted messaging app Telegram, with a monthly subscription costing $199 and a lifetime license $1,199.
Providing malicious tools as a service is fast becoming the norm, allowing criminals to carry out cyberattacks without needing technical knowledge – they merely rent the software used to deal the damage from others.
Research by antivirus firm Sophos claims to show that dropper-as-a-service (DaaS) platforms are being used more and more by malware developers, and ransomware-as-a-service (RaaS) models are becoming more popular too, again due to their ease of use by cybercriminals.