Medusa Stealer

Hi I want to suggest one more Signature

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2";flow: established, to_server;stream_size: server, =, 1;content: "ewogICAgIkdyYWJiZXIiOiBbCiAg"; depth: 28; classtype: credential-theft;classtype: trojan-activity;  reference: md5,d1c95dfd50744b0133abd72801b8a0f3;  reference: url,community.emergingthreats.net/t/medusa-stealer; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 4664493, malware_family Meduza,  tag stealer, created_at 2024_02_13; sid: 1; rev: 1;)

and editing the message of an existing one

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1"; flow:established,to_server; stream_size:server,=,1; content:"ewogICAgImNocm9taXVtX2Jyb3dzZXJzIjog"; startswith; fast_pattern; reference:md5,6c2283c27a3ac1164aad01f982f17db3; reference:url,twitter.com/Jane_0sint/status/1670048531665518592; reference:url,app.any.run/tasks/cf27f0ec-1be0-4353-82fc-d392eaa8b24b; classtype:trojan-activity; sid:2046303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_20, deployment Perimeter, former_category MALWARE, malware_family Meduza, confidence High, signature_severity Critical, updated_at 2023_06_29;)

… and one more generic rule

alert tcp any any -> any 15666 (msg: "ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)";flow: established, to_server;stream_size: server, =, 1;content: "ewogICAg";depth: 8; classtype: credential-theft;classtype: trojan-activity; reference: md5,d1c95dfd50744b0133abd72801b8a0f3;  reference: url,community.emergingthreats.net/t/medusa-stealer; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 4664493, malware_family Meduza,  tag stealer, created_at 2024_02_13; sid: 2; rev: 1;)

✧˚ ༘ ⋆。˚
Jane

1 Like