Hi!
I would like to share the rule on Medusa Stealer. The rule is simple but effective - 36 bytes of content containing the “chromium_browsers” encoding substring does not require padding.
I track this threat, if they change the custom protocol scheme, I will come for an update.
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Medusa Stealer Exfiltration";flow: established, to_server; stream_size: server, =, 1; content: "ewogICAgImNocm9taXVtX2Jyb3dzZXJzIjog";depth: 36; classtype: credential-theft; reference:md5,6c2283c27a3ac1164aad01f982f17db3; reference:url,app.any.run/tasks/cf27f0ec-1be0-4353-82fc-d392eaa8b24b; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family MedusaStealer, created_at 2023_06_17; sid: 8000209; rev: 1;)
Initially, it was not clear what it was, but @g0njxa helped me figure it out, thanks to him!
Best regards, Jane)
