Focus Mode
Threat Research

An In-Depth Exploration of the Meduza Stealer via DNS Analysis

CircleID

Short Summary

Fortinet has identified a new variant of the Meduza Stealer that exploits the Microsoft Windows SmartScreen vulnerability (CVE-2024-21412). This malware campaign uses malicious PDF files to bypass security warnings and deliver the Meduza Stealer, which steals data from victims and sends it to a command-and-control server. The campaign targets specific regions and has led to the discovery of multiple indicators of compromise (IoCs).

Key Points

  • Malware Variant: Meduza Stealer exploiting CVE-2024-21412.
  • Delivery Method: Malicious PDF files bypassing SmartScreen warnings.
  • Data Exfiltration: Stolen data sent to a command-and-control server.
  • Target Regions: North America, Spain, and Thailand.
  • Indicators of Compromise (IoCs): 16 IoCs including 13 domain names and 3 IP addresses.
  • Domain Registration: 69% of IoCs registered with GoDaddy; 85% registered in the U.S.
  • Additional Findings: Discovery of 9 email-connected domains and 18 additional IP addresses linked to threats.
  • Research Availability: Full findings and artifacts available for download on their website.

MITRE ATT&CK TTPs – created by AI

  • Exploitation of Vulnerability (T1203)
    • Exploits CVE-2024-21412 to deliver malware.
  • Command and Control (T1071)
    • Data exfiltration to a command-and-control server.
  • Data Staged (T1074)
    • Stolen data is prepared for exfiltration.

Fortinet recently discovered a Meduza Stealer variant that has been taking advantage of the Microsoft Windows SmartScreen vulnerability CVE-2024-21412. The Meduza stealer lets remote attackers bypass the SmartScreen security warning dialog to deliver malicious files.

This particular campaign spreads malicious PDF files that exploit CVE-2024-21412 to download and execute malware like the Meduza Stealer. The final payload? Data stolen from victims’ computers are sent to a command-and-control (C&C) server. It is also interesting to note that the threat actors designed PDF files to target specific regions, including North America, Spain, and Thailand.

The researchers published their findings earlier this month, including 16 indicators of compromise (IoCs) comprising 13 domain names and three IP addresses. Using them as jump-off points for an IoC list expansion analysis, the WhoisXML API research team uncovered connected artifacts that have not yet been named, namely:

  • Nine email-connected domains
  • 18 additional IP addresses, 17 of which turned out to be malicious
  • One IP-connected domain
  • 149 string-connected domains, five of which turned out to be associated with various threats

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the Meduza Stealer Indicators of Compromise

First off, we sought to find more information about the published IoCs starting with a bulk WHOIS lookup for the 13 domains identified as IoCs. Our query led to these findings:

  • A majority of them, 69% to be exact (nine domain IoCs), were registered with GoDaddy. The rest of the registrars—Dynadot, FastDomain, Namecheap, and NiceNIC—accounted for one domain IoC each.
  • One of the domain IoCs was old, created way back in 2016 while the other 12 were newly created, just this year.

  • A majority of them, 85% to be exact (11 domain IoCs), were registered in the U.S. China and Iceland accounted for one domain IoC each.

Next, we ran a bulk IP geolocation lookup for the three IP addresses identified as IoCs and found out that:

Expanding the List of Meduza Stealer Indicators of Compromise

To find artifacts potentially connected to Meduza Stealer, we first queried the 13 domain IoCs on WHOIS History API. The results showed that they had four email addresses in their historical WHOIS records, two of which were public.

Using the two public email addresses as Reverse WHOIS API search terms led to the discovery of nine email-connected domains after filtering out duplicates and the IoCs.

Next, we queried the 13 domain IoCs on DNS Lookup and found out that while three did not have active IP resolutions, the remaining 10 resolved to 18 IP addresses not yet on the original IoC list. Threat Intelligence Lookup showed that 17 of them were associated with various threats.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

Source: Original Post

Tags: WINDOWS, CVE, PAYLOAD, VULNERABILITY, EXFILTRATION, DISCOVERY, DNS, CHINA