Meduza malware targets browsers, password managers
A new malware dubbed Meduza Stealer has been discovered to be targeting Windows operating systems, and identified as a stealer of information from a large number of browsers, password managers, and cryptocurrency wallets.
Meduza Stealer has not yet been associated with any specific attacks. However, the malware is suspected to be spread through common methods used by information stealers, such as compromised websites and phishing emails.
Once Meduza Stealer is launched, Meduza Stealer initiates a geolocation check using the Windows GetUserGeoID function. The malware then ceases operation if the system is located in one of ten specific countries, including Russia, Kazakhstan, and Belarus. In other countries, it begins to collects basic information on the infected system, such as the computer name, CPU/GPU/RAM/Hardware details, operating system version, time zone, and current time, and takes a screenshot.
Meduza Stealer then hunts for data in the User Data folder by searching for browser-related information such as the browser history, cookies, logins, and web data. About 97 browser variants such as Chrome, Firefox, Microsoft Edge, Chromium, Amigo, URBrowser, Vivaldi, Kameta, UCBrowswe, NETGATE, and a host of others are among those on the target list.
The malware also targets 19 password managers, including Authenticator 2FA, Trezor Password Manager, LastPass, 1Password, Authy, GAuth Authenticator, Dashlane Password Manager, Bitwarden Password Manager, Nord Pass, Keeper Password Manager, RoboForm and others. It specifically targets extensions associated with two-factor authentication and password managers with the intention of extracting data.
Furthermore, Meduza Stealer demonstrates a specific interest in cryptocurrency wallets by attempting to extract wallet extensions from web browsers that facilitate the management of cryptocurrency assets. These extensions provide functionality for monitoring account balances and conducting transactions directly within browsers like Chrome and Firefox.
According to Uptycs Threat Research, the administrator of Meduza Stealer is also using sophisticated marketing methods to spread the virus across numerous cybercriminal sites. To tempt potential buyers, the administrator displays screen grabs proving the malware’s ability to avoid detection by antivirus software. The marketing effort also provides access to stolen data via a web panel, with several membership choices available at various pricing ranges.
The sources for this piece include an article in TechRepublic.