Researchers have discovered a new version of the Medusa malware, which is based on the Mirai botnet code. This version has been available on dark web marketplaces since 2015 and has the ability to launch DDoS attacks using the HTTP protocol. It also has a ransomware module and a Telnet brute-forcer. The ransomware module checks all directories for valid file types to encrypt, and then adds the .Medusastealer extension to the encrypted files. It then displays a ransom message demanding 0.5 BTC, but this appears to be a flaw in the code as it deletes all files on the system disks, preventing victims from using their systems and reading the ransom message. The malware also has a data exfiltration tool that collects system data to identify victims and estimate resources for mining and DDoS attacks. It also has a brute forcer that attempts to get into targets systems by guessing their passwords repeatedly. It then uses the Zmap command to locate other devices running Telnet services on port 23 and attempts to establish a connection with those machines. If successful, it drops its main payload on the victims machine. There is also unfinished support for the FivemBackdoor and Sshlogin commands in the final Medusa payload.
This Cyber News was published on heimdalsecurity.com. Publication date: Wed, 08 Feb 2023 16:26:03 +0000