blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/
Submission: On February 07 via api from US — Scanned from DE
Submission: On February 07 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get" data-hs-cf-bound="true">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form" data-hs-cf-bound="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
* Home
* About Us
* Capabilities
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* The Cyber Express
* Newsroom
* Media & Press Releases
* Careers
Menu
* Home
* About Us
* Capabilities
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* The Cyber Express
* Newsroom
* Media & Press Releases
* Careers
Request Demo
NEW MEDUSA BOTNET EMERGING VIA MIRAI BOTNET TARGETING LINUX USERS
* February 3, 2023
A BOTNET CAPABLE OF PERFORMING DDOS, RANSOMWARE, AND BRUTEFORCE ATTACKS
Since 2016, Mirai has been an active botnet that targets networking devices
running Linux with vulnerabilities. The botnet takes advantage of these
vulnerabilities in devices such as routers, IP cameras, and IoT devices to
exploit them and gain complete control over the machine. With this control,
Mirai can carry out various malicious activities, including Distributed Denial
of Service (DDoS) attacks and downloading additional malware.
Cyble Research and Intelligence Labs (CRIL) has been keeping a close eye on the
actions of the MiraiBot and monitoring its behavior.
Below are the statistics of the Mirai botnet attacks observed in Jan-2023
through the Cyble Global Sensor Intelligence (CGSI).
Figure 1 – Statistics of Mirai Botnet in January 2023
Recently, CRIL uncovered a variant of the Mirai botnet (sha256:
2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5c) that was
downloading and propagating a new botnet called the “Medusa Botnet”. When run,
the Mirai botnet connects to the command and control server and retrieves the
“medusa_stealer.sh” file, which it then executes.
The figure below illustrates the malware’s communication with its Command and
Control (C&C) IP address.
Figure 2 – Malware Comminucating to the C&C IP
The downloaded medusa_stealer.sh file contains the commands to download and
execute Medusa malware files on Linux machines.
The content of the medusa_stealer.sh is shown below.
Figure 3 – Content of medusa_stealer.sh File
At the time of analysis, the download links were unavailable. However, based on
the C&C communication pattern, researchers at CRIL were able to identify the
Python source code of the Medusa botnet. The technical details section provides
an overview of the features of the Medusa botnet, which is written in Python.
TECHNICAL ANALYSIS
MEDUSA BOTNET CLIENT
The medusa botnet client receives four parameters: method, IP, port, and
timeout, as shown below.
Figure 4 – Main Function of Medusa bot client
* Method: This parameter receives various commands from the C&C server to
perform malicious activities such as DDoS attacks, Ransomware, brute force
Attack, etc.
* IP: IP address of the victim
* Port: Port Number of the Victim
* Timeout: Timeout of the attack
DDOS ATTACK
The Medusa Botnet has the ability to launch Distributed Denial of Service (DDoS)
attacks on various levels of the network hierarchy, including Layer 3, Layer 4,
and Layer 7. These attacks can be carried out either by using spoofed IP
addresses or the IP address of the victim’s machine where the client is
installed. The botnet employs the spoofer() function to generate random IP
addresses, making it challenging for the victims to determine the origin of the
DDoS attack.
The figure below illustrates the code for the spoofer() function.
Figure 5 – Generates Random IP Address
The malware can execute the following DDoS attacks on different levels of the
network layer.
SPOOFING ATTACK METHODSNO-SPOOFING ATTACK METHODSgre_spoof, icmp_spoof,
udp_spoof, syn_spoof, ack_spoof, fin_spoof, rst_spoof, psh_spoof,
http_get_flood, http_raw_flood, cloudflare_browser_floodgre_no_spoof,
udp_no_spoof, handshake_no_spoof, ack_no_spoof, fin_no_spoof, rst_no_spoof,
psh_no_spoof, syn_no_spoof
RANSOMWARE
The Medusa botnet can launch ransomware attacks on target machines using the
MedusaRansomware() function. This function searches all the directories for
files with the extensions specified in the “extensions” list and then encrypts
them by adding the “.medusastealer” extension to their file name.
The ransomware encrypts the victim files with a Python library that allows files
to be encrypted with an AES 256-bit encryption key. It will not encrypt system
files and already encrypted files.
The figure below shows the list of extensions targeted in the system by
MedusaRansomware.
Figure 6 – List of extensions encrypted by Ransomware
The below figure shows the code snippet of the MedusaRansomware() function used
for file encryption.
Figure 7 – Code snippet of Ransomware function
The Ransomware also sleeps for 24 hours after encrypting the files and
forcefully deletes all the files present in the system drives, as shown below.
Figure 8 – Commands to destroy system drives
Finally, the ransomware function displays the ransom note containing
instructions to recover the victim’s encrypted files, as shown below.
Figure 9 – Medusa Stealer Ransom note
The ransomware code is designed to display a ransom note after the files have
been destroyed, and it appears to be faulty in its implementation.
BRUTEFORCE ATTACK AND ADDITIONAL PAYLOAD INJECTION
The medusa bot can carry out bruteforce attacks on Telnet services running on
internet-connected devices using the ScanWorld function. It performs a brute
force attack and injects an additional payload using the following steps:
* It starts by defining two lists, username_scanner, and password_scanner, that
contain commonly used usernames and passwords.
* It then downloads a payload file “client-tcp” using “wget” (URL:
hxxps[:]//medusa-stealer[.]cc/payload/client-tcp) and saves it in the
variable infection_medusa_stealer. The download link was unavailable during
the analysis, so the exact purpose of “client-tcp” is not yet known.
* The function then executes the zmap command to scan for internet-connected
devices with Telnet services running on port 23 and stores the results in a
file “zmap.txt”.
* It then reads the IP addresses from “zmap.txt” and tries to connect to the
Telnet services running on those IPs.
* The function tries all combinations of usernames and passwords for each IP
address from the username_scanner and password_scanner lists.
* If a Telnet connection is established, the function sends the malicious
payload, infection_medusa_stealer, to the connected system using a bruteforce
attack.
The below figure shows the code snippet of the Scanworld() function used for
brute-force attacks on Telnet services.
Figure 10 – Scanworld() function used for brute-force attack
FIVEMBACKDOOR AND SSH LOGIN
The Medusa botnet is equipped to receive commands “FivemBackdoor” and
“sshlogin”, allowing for backdoor access and SSH login attempts. However, the
lack of corresponding code in the client Python file indicates that the Medusa
botnet is either still in its development stage or the analyzed files are
incomplete.
EXFILTRATION
The send_data() function is used to collect various information about the system
and sends it to the remote server at “hxxps://medusa-stealer[.]cc/add/bot”. The
send_data() function calls the all_data_system() function internally, which
collects information such as the username, hostname, IP address, operating
system, CPU and RAM usage, Total number of CPU cores, and unique identifier of
the system. This collected information is stored in a dictionary variable ‘data’
and returned by the function.
The send_data() function further sends the victim’s stolen information to the
remote server using the POST method along with a custom “User-Agent” header
“medusa-stealer/1.0”. The below image shows the code snippet of the Send_data()
function used for Exfiltration.
Figure 11 – Code snippet for Exfiltration
CONCLUSION
With the growing popularity of Linux machines, Threat Actors have improved their
methods for attacking these systems. In this scenario, the Threat Actors are
using the well-known Mirai Linux botnet to drop a new malware called the Medusa
botnet, which not only has DDoS capabilities but can also carry out ransomware
attack, brute force attack, download additional payload, and steals sensitive
information from the victims’ machine.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
* Avoid downloading pirated software from warez/torrent websites. The “Hack
Tool” present on sites such as YouTube, torrent sites, etc., mainly contains
such malware.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Update and upgrade your computer, mobile, and other connected devices.
* Refrain from opening untrusted links and email attachments without first
verifying their authenticity.
* Educate employees on protecting themselves from threats like
phishing/untrusted URLs.
* Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
* Monitor the beacon on the network level to block data exfiltration by malware
or TAs.
* Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® TECHNIQUES
TacticTechnique IDTechnique NameDiscoveryT1518.001Security Software
DiscoveryCommand and ControlT1071Application Layer ProtocolCommand and
ControlT1095Non-Application Layer ProtocolCommand and ControlT1571Non-Standard
Port
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator
TypeDescription2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5cSHA256Mirai
Binary (medusa_stealer.x86)54c67bb062d73ae9fabf5f0e1e2136e05cb6e69bSHA1Mirai
Binary (medusa_stealer.x86)ed64d941fd8603196c0e31ae58c1992dMD5Mirai Binary
(medusa_stealer.x86)hxxp://45.145.167[.]117/medusa_stealer.shURLURL Delivering
medusa_stealer.sh
File87b5ba7da8aa64721baca0421a01e01bb1f1ca8a2f73daa3ca2f5857e353c182SHA256medusa_stealer.sh
Filec059eec897c48b81cfc6a6765e176cc88231c31eSHA1medusa_stealer.sh
Filee3a08ffb7106ece9612d3aa8078a8287MD5medusa_stealer.sh
File2f2759b5933f06c9fdbc87ea941e8ef53ea0e3b715afd57de52ed2927d197c33SHA256Malicious
Python Script (clientv2.py)088332f4ff6b6a12f094a429d6f60ec500d3d85bSHA1Malicious
Python Script (clientv2.py)336674857b5ede1e09daeff1a14adedcMD5Malicious Python
Script
(clientv2.py)bce94b214a6bae00b03ada34c66210d9143895d6c0be9e21c10e9951cc469fbfSHA256Malicious
Python Script (clientv2.py)dc6ea04feb31eb9539f577d7965d0fb925dd7e52SHA1Malicious
Python Script (clientv2.py)ed24c7c0b73887e35f1c12ab0dda98feMD5Malicious Python
Script
(clientv2.py)48f5f09ddd7089a9397d26e219eb1a1a937c3238f7ecdc7cdfc5383141d77ad9SHA256Malicious
Python Script (clientv2.py)3bcbc498de18d91a1d05e428fa94e4145959fbd2SHA1Malicious
Python Script (clientv2.py) 14655930fab2319ff9cd5187a0caa242MD5Malicious Python
Script
(clientv2.py)5799ee35a334f839bb666a0136ca2615390d0b7fb6a14875bafbfab3414045e9SHA256Malicious
Python Script (clientv2.py)b2134b18e827402378da09a8dcd9da92509e8131SHA1Malicious
Python Script (clientv2.py)1eee2293e51b01300c75b649715e472dMD5Malicious Python
Script (clientv2.py)medusa-stealer[.]ccURLMedusa C&C Server URL
RECENT BLOGS
MASSIVE RANSOMWARE ATTACK TARGETS VMWARE ESXI SERVERS
February 6, 2023
NEW MEDUSA BOTNET EMERGING VIA MIRAI BOTNET TARGETING LINUX USERS
February 3, 2023
NEW BATLOADER DISSEMINATES RATS AND STEALERS
February 2, 2023
PrevPreviousNew BATLoader Disseminates RATs and Stealers
NextMassive Ransomware Attack Targets VMware ESXi ServersNext
February 6, 2023
Cyble analyzes a widespread ransomware attack campaign targeting ESXi Servers,
affecting nearly 1,000 servers already.
Read More »
February 3, 2023
Cyble Analyzes Medusa botnet targeting Linux users via Mirai, performing
Bruteforce, DDoS, and Ransomware attacks.
Read More »
February 2, 2023
Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat
Actors to deliver several malware families.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences