New Windows Meduza Stealer targets tens of crypto wallets and password managers

Pierluigi Paganini July 03, 2023

Researchers spotted a new Windows information stealer called Meduza Stealer, the authors employ sophisticated marketing strategies to promote it.

The Meduza Stealer can steal browsing activities and extract a wide array of browser-related data, including login credentials, browsing history and bookmarks. The malware also targets crypto wallet extensions, password managers, and 2FA extensions.

The authors are actively developing malware to evade detection, but no specific attacks have been attributed to the Meduza Stealer to date.

The malware admin declared that their operations do not involve any ransom activities. Like other malware, the malicious code doesn’t infect systems in the Commonwealth of Independent States (CIS region). The stealer prevents execution if the C2 server is unreachable. The researchers at Uptycs, who discovered the malware, noticed that the binary does not employ obfuscation techniques, but the malicious code has a low detection rate.

“What’s more concerning is that a large portion of antivirus software has proven ineffective against the Meduza stealer binary, either failing to detect it statically or dynamically” reads the analysis published by Uptycs. “But the real game-changer in their marketing strategy has been the pricing model and the added control provided to subscribers.”

The administrator offers access to the stolen data through a management console. The malware also collects a variety of data, including system info, browser info, password manager info, miner related registry info, and installed games info. 

Meduza Stealer

The author offers different subscription plans, including a one-month, three-month, and a lifetime access plan.

Meduza Stealer can target 19 password manager apps, 76 crypto wallets, steam client, and Discord.

“The stealer extracts ID details of password manager applications, 2FA, and cryptocurrency wallet extensions. These are of particular interest as they can contain valuable information and may have vulnerabilities that the attacker can exploit to gain unauthorized access to user accounts.” continues the analysis.

The stealer manages a predefined list of browsers that can target, it enumerates the “User Data” folder to read various browser-related data, including Browser History, Cookies, Login Data, Web Data, Login Data for Account, and Local State.

The report published by Uptycs includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ultimate Member plugin)



you might also like

leave a comment