![]() The malware gets configuration and related data from different Windows Registry keys: These extensions provide functionality for tasks such as monitoring account balances, conducting cryptocurrency transactions details.” There are 76 cryptocurrency wallets currently targeted by Meduza Stealer.įrom Uptycs Threat Research, “The malware attempts to extract cryptocurrency wallet extensions from web browsers via software plugins or add-ons that enable users to conveniently manage their cryptocurrency assets directly within web browsers like Chrome or Firefox. How Generative AI is a Game Changer for Cloud Security Cryptocurrency wallets Must-read security coverageĨ Best Penetration Testing Tools and Software for 2023Ħ Best Cybersecurity Certifications of 2023 Through gaining access to 2FA codes or exploiting weaknesses in password manager extensions, the attacker might be able to evade security protocols and achieve unauthorized access to user accounts. The malware specifically targets extensions associated with two-factor authentication and password managers with the intention of extracting data these extensions possess significant information and may contain vulnerabilities. LastPass, 1Password and Authy are just three of the password managers listed.įigure C Password managers targeted by Meduza Stealer. Nineteen password managers are targeted by Meduza Stealer based on their Extension ID ( Figure C). Chrome, Firefox and Microsoft Edge are just three of the browsers on the list.įigure B Browser list that’s embedded in the Meduza Stealer malware code. A list of 97 browser variants is embedded in the malware, showing a huge effort not to miss any data from browsers ( Figure B). ![]() Meduza Stealer hunts for data in the User Data folder it’s searching for browser-related information such as the browser history, its cookies, login and web data. Image: Uptycs Meduza Stealer’s massive theft capabilities Browsers Then, the malware is ready for its stealing operations ( Figure A).įigure A Meduza Stealer’s workflow. The next step for the malware consists of checking if it can reach the attacker’s server before starting to collect basic information on the infected system, such as computer name, CPU/GPU/RAM/Hardware details, operating system version’s precise build details, time zone and current time, username, public IP address, execution path and screen resolution. ![]() The malware stops working if the result indicates one of these 10 countries: Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Uzbekistan, Armenia, Kyrgyzstan, Moldova and Tajikistan. This function looks for a country value based on the system’s settings and not real geolocation information. Once Meduza Stealer is launched, the malware starts checking for its geolocation by using the Windows GetUserGeoID function. What happens when Meduza Stealer is launched?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |