blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/
Submission: On February 07 via api from US — Scanned from DE
Submission: On February 07 via api from US — Scanned from DE
Form analysis
3 forms found in the DOMGET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form>
<form id="jp-carousel-comment-form" data-hs-cf-bound="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content Search for your darkweb exposure * Home * About Us * Capabilities * Products * Cyble Vision * AmiBreached * Cyble Hawk * The Cyber Express * Newsroom * Media & Press Releases * Careers Menu * Home * About Us * Capabilities * Products * Cyble Vision * AmiBreached * Cyble Hawk * The Cyber Express * Newsroom * Media & Press Releases * Careers Request Demo NEW MEDUSA BOTNET EMERGING VIA MIRAI BOTNET TARGETING LINUX USERS * February 3, 2023 A BOTNET CAPABLE OF PERFORMING DDOS, RANSOMWARE, AND BRUTEFORCE ATTACKS Since 2016, Mirai has been an active botnet that targets networking devices running Linux with vulnerabilities. The botnet takes advantage of these vulnerabilities in devices such as routers, IP cameras, and IoT devices to exploit them and gain complete control over the machine. With this control, Mirai can carry out various malicious activities, including Distributed Denial of Service (DDoS) attacks and downloading additional malware. Cyble Research and Intelligence Labs (CRIL) has been keeping a close eye on the actions of the MiraiBot and monitoring its behavior. Below are the statistics of the Mirai botnet attacks observed in Jan-2023 through the Cyble Global Sensor Intelligence (CGSI). Figure 1 – Statistics of Mirai Botnet in January 2023 Recently, CRIL uncovered a variant of the Mirai botnet (sha256: 2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5c) that was downloading and propagating a new botnet called the “Medusa Botnet”. When run, the Mirai botnet connects to the command and control server and retrieves the “medusa_stealer.sh” file, which it then executes. The figure below illustrates the malware’s communication with its Command and Control (C&C) IP address. Figure 2 – Malware Comminucating to the C&C IP The downloaded medusa_stealer.sh file contains the commands to download and execute Medusa malware files on Linux machines. The content of the medusa_stealer.sh is shown below. Figure 3 – Content of medusa_stealer.sh File At the time of analysis, the download links were unavailable. However, based on the C&C communication pattern, researchers at CRIL were able to identify the Python source code of the Medusa botnet. The technical details section provides an overview of the features of the Medusa botnet, which is written in Python. TECHNICAL ANALYSIS MEDUSA BOTNET CLIENT The medusa botnet client receives four parameters: method, IP, port, and timeout, as shown below. Figure 4 – Main Function of Medusa bot client * Method: This parameter receives various commands from the C&C server to perform malicious activities such as DDoS attacks, Ransomware, brute force Attack, etc. * IP: IP address of the victim * Port: Port Number of the Victim * Timeout: Timeout of the attack DDOS ATTACK The Medusa Botnet has the ability to launch Distributed Denial of Service (DDoS) attacks on various levels of the network hierarchy, including Layer 3, Layer 4, and Layer 7. These attacks can be carried out either by using spoofed IP addresses or the IP address of the victim’s machine where the client is installed. The botnet employs the spoofer() function to generate random IP addresses, making it challenging for the victims to determine the origin of the DDoS attack. The figure below illustrates the code for the spoofer() function. Figure 5 – Generates Random IP Address The malware can execute the following DDoS attacks on different levels of the network layer. SPOOFING ATTACK METHODSNO-SPOOFING ATTACK METHODSgre_spoof, icmp_spoof, udp_spoof, syn_spoof, ack_spoof, fin_spoof, rst_spoof, psh_spoof, http_get_flood, http_raw_flood, cloudflare_browser_floodgre_no_spoof, udp_no_spoof, handshake_no_spoof, ack_no_spoof, fin_no_spoof, rst_no_spoof, psh_no_spoof, syn_no_spoof RANSOMWARE The Medusa botnet can launch ransomware attacks on target machines using the MedusaRansomware() function. This function searches all the directories for files with the extensions specified in the “extensions” list and then encrypts them by adding the “.medusastealer” extension to their file name. The ransomware encrypts the victim files with a Python library that allows files to be encrypted with an AES 256-bit encryption key. It will not encrypt system files and already encrypted files. The figure below shows the list of extensions targeted in the system by MedusaRansomware. Figure 6 – List of extensions encrypted by Ransomware The below figure shows the code snippet of the MedusaRansomware() function used for file encryption. Figure 7 – Code snippet of Ransomware function The Ransomware also sleeps for 24 hours after encrypting the files and forcefully deletes all the files present in the system drives, as shown below. Figure 8 – Commands to destroy system drives Finally, the ransomware function displays the ransom note containing instructions to recover the victim’s encrypted files, as shown below. Figure 9 – Medusa Stealer Ransom note The ransomware code is designed to display a ransom note after the files have been destroyed, and it appears to be faulty in its implementation. BRUTEFORCE ATTACK AND ADDITIONAL PAYLOAD INJECTION The medusa bot can carry out bruteforce attacks on Telnet services running on internet-connected devices using the ScanWorld function. It performs a brute force attack and injects an additional payload using the following steps: * It starts by defining two lists, username_scanner, and password_scanner, that contain commonly used usernames and passwords. * It then downloads a payload file “client-tcp” using “wget” (URL: hxxps[:]//medusa-stealer[.]cc/payload/client-tcp) and saves it in the variable infection_medusa_stealer. The download link was unavailable during the analysis, so the exact purpose of “client-tcp” is not yet known. * The function then executes the zmap command to scan for internet-connected devices with Telnet services running on port 23 and stores the results in a file “zmap.txt”. * It then reads the IP addresses from “zmap.txt” and tries to connect to the Telnet services running on those IPs. * The function tries all combinations of usernames and passwords for each IP address from the username_scanner and password_scanner lists. * If a Telnet connection is established, the function sends the malicious payload, infection_medusa_stealer, to the connected system using a bruteforce attack. The below figure shows the code snippet of the Scanworld() function used for brute-force attacks on Telnet services. Figure 10 – Scanworld() function used for brute-force attack FIVEMBACKDOOR AND SSH LOGIN The Medusa botnet is equipped to receive commands “FivemBackdoor” and “sshlogin”, allowing for backdoor access and SSH login attempts. However, the lack of corresponding code in the client Python file indicates that the Medusa botnet is either still in its development stage or the analyzed files are incomplete. EXFILTRATION The send_data() function is used to collect various information about the system and sends it to the remote server at “hxxps://medusa-stealer[.]cc/add/bot”. The send_data() function calls the all_data_system() function internally, which collects information such as the username, hostname, IP address, operating system, CPU and RAM usage, Total number of CPU cores, and unique identifier of the system. This collected information is stored in a dictionary variable ‘data’ and returned by the function. The send_data() function further sends the victim’s stolen information to the remote server using the POST method along with a custom “User-Agent” header “medusa-stealer/1.0”. The below image shows the code snippet of the Send_data() function used for Exfiltration. Figure 11 – Code snippet for Exfiltration CONCLUSION With the growing popularity of Linux machines, Threat Actors have improved their methods for attacking these systems. In this scenario, the Threat Actors are using the well-known Mirai Linux botnet to drop a new malware called the Medusa botnet, which not only has DDoS capabilities but can also carry out ransomware attack, brute force attack, download additional payload, and steals sensitive information from the victims’ machine. OUR RECOMMENDATIONS We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: * Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware. * Use strong passwords and enforce multi-factor authentication wherever possible. * Update and upgrade your computer, mobile, and other connected devices. * Refrain from opening untrusted links and email attachments without first verifying their authenticity. * Educate employees on protecting themselves from threats like phishing/untrusted URLs. * Block URLs that could be used to spread the malware, e.g., Torrent/Warez. * Monitor the beacon on the network level to block data exfiltration by malware or TAs. * Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. MITRE ATT&CK® TECHNIQUES TacticTechnique IDTechnique NameDiscoveryT1518.001Security Software DiscoveryCommand and ControlT1071Application Layer ProtocolCommand and ControlT1095Non-Application Layer ProtocolCommand and ControlT1571Non-Standard Port INDICATORS OF COMPROMISE (IOCS) IndicatorsIndicator TypeDescription2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5cSHA256Mirai Binary (medusa_stealer.x86)54c67bb062d73ae9fabf5f0e1e2136e05cb6e69bSHA1Mirai Binary (medusa_stealer.x86)ed64d941fd8603196c0e31ae58c1992dMD5Mirai Binary (medusa_stealer.x86)hxxp://45.145.167[.]117/medusa_stealer.shURLURL Delivering medusa_stealer.sh File87b5ba7da8aa64721baca0421a01e01bb1f1ca8a2f73daa3ca2f5857e353c182SHA256medusa_stealer.sh Filec059eec897c48b81cfc6a6765e176cc88231c31eSHA1medusa_stealer.sh Filee3a08ffb7106ece9612d3aa8078a8287MD5medusa_stealer.sh File2f2759b5933f06c9fdbc87ea941e8ef53ea0e3b715afd57de52ed2927d197c33SHA256Malicious Python Script (clientv2.py)088332f4ff6b6a12f094a429d6f60ec500d3d85bSHA1Malicious Python Script (clientv2.py)336674857b5ede1e09daeff1a14adedcMD5Malicious Python Script (clientv2.py)bce94b214a6bae00b03ada34c66210d9143895d6c0be9e21c10e9951cc469fbfSHA256Malicious Python Script (clientv2.py)dc6ea04feb31eb9539f577d7965d0fb925dd7e52SHA1Malicious Python Script (clientv2.py)ed24c7c0b73887e35f1c12ab0dda98feMD5Malicious Python Script (clientv2.py)48f5f09ddd7089a9397d26e219eb1a1a937c3238f7ecdc7cdfc5383141d77ad9SHA256Malicious Python Script (clientv2.py)3bcbc498de18d91a1d05e428fa94e4145959fbd2SHA1Malicious Python Script (clientv2.py) 14655930fab2319ff9cd5187a0caa242MD5Malicious Python Script (clientv2.py)5799ee35a334f839bb666a0136ca2615390d0b7fb6a14875bafbfab3414045e9SHA256Malicious Python Script (clientv2.py)b2134b18e827402378da09a8dcd9da92509e8131SHA1Malicious Python Script (clientv2.py)1eee2293e51b01300c75b649715e472dMD5Malicious Python Script (clientv2.py)medusa-stealer[.]ccURLMedusa C&C Server URL RECENT BLOGS MASSIVE RANSOMWARE ATTACK TARGETS VMWARE ESXI SERVERS February 6, 2023 NEW MEDUSA BOTNET EMERGING VIA MIRAI BOTNET TARGETING LINUX USERS February 3, 2023 NEW BATLOADER DISSEMINATES RATS AND STEALERS February 2, 2023 PrevPreviousNew BATLoader Disseminates RATs and Stealers NextMassive Ransomware Attack Targets VMware ESXi ServersNext February 6, 2023 Cyble analyzes a widespread ransomware attack campaign targeting ESXi Servers, affecting nearly 1,000 servers already. Read More » February 3, 2023 Cyble Analyzes Medusa botnet targeting Linux users via Mirai, performing Bruteforce, DDoS, and Ransomware attacks. Read More » February 2, 2023 Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families. Read More » About Us Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Offices: We’re remote-friendly, with office locations around the world: San Francisco, Atlanta, Rome, Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne. UAE: Cyble Middle East FZE Suite 1702, Level 17, Boulevard Plaza Tower 1, Sheikh Mohammed Bin Rashid Boulevard, Downtown Dubai, Dubai, UAE contact@cyble.com +971 (4) 4018555 USA : Cyble, Inc. 11175 Cicero Drive Suite 100 Alpharetta, GA 30022 contact@cyble.com +1 678 379 3241 India: Cyble Infosec India Private Limited A 602, Rustomjee Central Park, Andheri Kurla Road Chakala, Andheri (East), Maharashtra Mumbai-400093, India contact@cyble.com +1 678 379 3241 Australia : Cyble Pty Limited Level 32, 367 Collins Street Melbourne VIC 3000 Australia contact@cyble.com +61 3 9005 6934 Singapore: Cyble Singapore Private Limited 38 North Canal Road, Singapore 059294 contact@cyble.com +1 678 379 3241 © 2023. Cyble Inc. All Rights Reserved Twitter Linkedin Scroll to Top Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok × We Value Your Privacy Settings NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar technologies on this site and use personal data (e.g., your IP address). If you consent, the cookies, device identifiers, or other information can be stored or accessed on your device for the purposes described below. You can click "Allow All" or "Decline All" or click Settings above to customize your consent. NextRoll and our advertising partners process personal data to: ● Store and/or access information on a device; ● Create a personalized content profile; ● Select personalised content; ● Personalized ads, ad measurement and audience insights; ● Product development. For some of the purposes above, our advertising partners: ● Use precise geolocation data. Some of our partners rely on their legitimate business interests to process personal data. View our advertising partners if you wish to provide or deny consent for specific partners, review the purposes each partner believes they have a legitimate interest for, and object to such processing. If you select Decline All, you will still be able to view content on this site and you will still receive advertising, but the advertising will not be tailored for you. You may change your setting whenever you see the Manage consent preferences on this site. Decline All Allow All Manage consent preferences