Medusa Stealer

Rule Signatures
1

Hi!
I would like to share the rule on Medusa Stealer. The rule is simple but effective - 36 bytes of content containing the “chromium_browsers” encoding substring does not require padding.
I track this threat, if they change the custom protocol scheme, I will come for an update.

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Medusa Stealer Exfiltration";flow: established, to_server; stream_size: server, =, 1; content: "ewogICAgImNocm9taXVtX2Jyb3dzZXJzIjog";depth: 36; classtype: credential-theft; reference:md5,6c2283c27a3ac1164aad01f982f17db3; reference:url,app.any.run/tasks/cf27f0ec-1be0-4353-82fc-d392eaa8b24b; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family MedusaStealer, created_at 2023_06_17; sid: 8000209; rev: 1;)

Initially, it was not clear what it was, but @g0njxa helped me figure it out, thanks to him!

Best regards, Jane)

1 Like
2

Thanks @Jane0sint !! This signature will go out in today’s release!

2 Likes
3

Here is the production sid/name :fire:
2046303 -[ANY.RUN] Medusa Stealer Exfiltration

2 Likes
4

Hello, the @AnFam17 came out with a material about this stealer

And now, I think, it’s time to change it to a Meduza :tipping_hand_woman:

2 Likes
5

Naming update will go out today :+1:

2 Likes
6

Hi I want to suggest one more Signature

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2";flow: established, to_server;stream_size: server, =, 1;content: "ewogICAgIkdyYWJiZXIiOiBbCiAg"; depth: 28; classtype: credential-theft;classtype: trojan-activity;  reference: md5,d1c95dfd50744b0133abd72801b8a0f3;  reference: url,community.emergingthreats.net/t/medusa-stealer; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 4664493, malware_family Meduza,  tag stealer, created_at 2024_02_13; sid: 1; rev: 1;)

and editing the message of an existing one

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1"; flow:established,to_server; stream_size:server,=,1; content:"ewogICAgImNocm9taXVtX2Jyb3dzZXJzIjog"; startswith; fast_pattern; reference:md5,6c2283c27a3ac1164aad01f982f17db3; reference:url,twitter.com/Jane_0sint/status/1670048531665518592; reference:url,app.any.run/tasks/cf27f0ec-1be0-4353-82fc-d392eaa8b24b; classtype:trojan-activity; sid:2046303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_20, deployment Perimeter, former_category MALWARE, malware_family Meduza, confidence High, signature_severity Critical, updated_at 2023_06_29;)

… and one more generic rule

alert tcp any any -> any 15666 (msg: "ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)";flow: established, to_server;stream_size: server, =, 1;content: "ewogICAg";depth: 8; classtype: credential-theft;classtype: trojan-activity; reference: md5,d1c95dfd50744b0133abd72801b8a0f3;  reference: url,community.emergingthreats.net/t/medusa-stealer; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 4664493, malware_family Meduza,  tag stealer, created_at 2024_02_13; sid: 2; rev: 1;)

✧˚ ༘ ⋆。˚
Jane

1 Like
7

Heya @Jane0sint !

Sorry I meant to get these to you yesterday but we got those sigs in yesterday’s release! Here are the deets.

2046303 has been renamed to [ANY.RUN] Meduza Stealer Exfiltration M1

  2050806 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2
  2050807 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
2 Likes
8

Thank you, I have already seen them in the new set. Tuned to ET Twitter :radio:

2 Likes