Heimdal
article featured image

Contents:

Security researchers discovered a new Windows-based data-stealing malware dubbed Meduza Stealer. The new info stealer allegedly has detection-evading features and can collect data about both Windows users and systems. However, it can only evade detection in a certain number of countries.

What Is the Meduza Infostealer Used for?

According to the researchers, Meduza Stealer collects various sensitive data about both users and systems. In addition, the new Meduza Stealer malware is also very easy to use, as its developer intensively markets it on malicious forums.

It’s currently being offered for sale on underground forums such as XSS and Exploit.in and a dedicated Telegram channel as a recurring subscription that costs $199 per month, $399 for three months, or $1,199 for a lifetime license. The information pilfered by the malware is made available through a user-friendly web panel.

Source

User data it steals from browsers:

  • login credentials,
  • browsing history,
  • vulnerable extensions like crypto wallets,
  • password managers,
  • two-factor authentication (2FA) extensions.

System-related data:

  • geographical location and time zone,
  • screenshots and usernames,
  • system build and computer name,
  • CPU specifications,
  • execution path,
  • hardware ID details,
  • public IP address,
  • operating system details.
  • RAM specifications

How Does the Meduza Infostealer Work?

Once it successfully infects an endpoint, the malware checks its geolocation. It doesn`t move to the next step if the victim is based in Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Uzbekistan, Tajikistan, Armenia, Kyrgyzstan, or Moldova.

Like any other malware, Meduza Stealer will next try to establish a connection with the command-and-control server. After it becomes active, the info stealer uses various Windows APIs to collect system-related data.

The malware is also able to read the browser history, cookies, login data, web data, etc. Furthermore, Meduza can scan the Telegram Desktop application, access Discord folders, and even try to collect ID details of password manager, and two-factor authentication (2FA) apps. Obtaining 2FA codes and being able to exploit password manager`s vulnerabilities can provide hackers with unauthorized access to the user`s accounts.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE