Home Technology Medusa botnet returns as a Mirai-based variant with ransomware sting

Medusa botnet returns as a Mirai-based variant with ransomware sting

0

[ad_1]

Medusa

A brand new model of the Medusa DDoS (distributed denial of service) botnet, primarily based on Mirai code, has appeared within the wild, that includes a ransomware module and a Telnet brute-forcer.

Medusa is an previous malware pressure (to not be confused with the same-name Android trojan) being marketed in darknet markets since 2015, which later added HTTP-based DDoS capabilities in 2017.

Cyble has advised BleepingComputer that this new variant they noticed within the wild is the continuation of that previous malware pressure. It is latest model is primarily based on the leaked supply code of the Mirai botnet, inheriting its Linux focusing on capabilities and in depth DDoS assault choices.

Furthermore, Medusa is now promoted as a MaaS (malware-as-a-service) for DDoS or mining through a devoted portal. It guarantees service stability, consumer anonymity, assist, an easy-to-use API, and adjustable value primarily based on particular wants.

The Medusa malware site
The Medusa malware website (BleepingComputer)

Ransomware operate

What’s notably attention-grabbing on this new Medusa variant is a ransomware operate that allows it to go looking all directories for legitimate file sorts for encryption. The checklist of goal file sorts consists of primarily paperwork and vector design recordsdata.

Filetypes targeted by Medusa
Filetypes focused by Medusa (Cyble)

Legitimate recordsdata are encrypted utilizing AES 256-bit encryption, and the .medusastealer extension is appended to the encrypted recordsdata’ identify

The malware's ransomware function
The malware’s ransomware operate (Cyble)

Nonetheless, the encryption methodology seems damaged, turning the ransomware into an information wiper.

After encrypting recordsdata on the system, the malware sleeps for 86,400 seconds (24 hours) and deletes all recordsdata on the system drives.

Solely after deleting recordsdata does it show a ransom be aware that asks for the fee of 0.5 BTC ($11,400), which is counter-intuitive for a profitable extortion try.

Medusa ransom note
Medusa ransom be aware (Cyble)

Cyble believes that is an error within the code because the destruction of system drives makes it not possible for the victims to make use of their programs and skim the ransom be aware. This bug additionally signifies that the brand new Medusa variant, or at the least this function, continues to be in growth.

It is price noting that whereas the brand new model of Medusa contains a knowledge exfiltration software, it doesn’t steal person recordsdata earlier than encryption. As an alternative, it focuses on amassing primary system data that helps in figuring out victims and estimating assets that can be utilized for mining and DDoS assaults.

Data exfiltration from the breached system
Knowledge exfiltration from the breached system (Cyble)

Telnet assaults

Medusa additionally contains a brute forcer that tries out generally used usernames and passwords in opposition to internet-connected gadgets. Then, if profitable, it makes an attempt to obtain a further payload that Cyble hasn’t been capable of retrieve and analyze.

Subsequent, Medusa executes the “zmap” command to seek out different gadgets with Telnet companies operating on port 23 after which tries to hook up with them utilizing the retrieved IP addresses and a mixture of usernames and passwords.

Lastly, upon establishing a Telnet connection, the malware infects the system with the first Medusa payload (“infection_medusa_stealer”).

The Telnet attack function
The Telnet assault operate (Cyble)

The ultimate Medusa payload additionally has incomplete assist for receiving the “FivemBackdoor” and “sshlogin” instructions.

Nonetheless, the corresponding code isn’t current within the consumer Python file but, which is one other signal of its ongoing growth.

[ad_2]

LEAVE A REPLY

Please enter your comment!
Please enter your name here