The new version of the DDOS-Botnet Medusa, based on the Mirai code, was seen in the wild (itW) with a module-robber and Bubbors tool.
Medusa is a type of malicious software advertised in Darknet markets since 2015. In 2017, the malware acquired the opportunity to perform DDOS attacks.
Moreover, Medusa is now advertised as MAAS (malicious software as a service) for DDOS attacks or mining through a special portal. Malfur promises stability, support, anonymity of customers, easy to use API and flexible cost, depending on specific needs.
Medusa website with a description of the advantages of Botnet
The function of the Medusa program is especially interesting in the new version of the Medusa, which can encrypt certain types of files to choose the customer. Files are encrypted using a 256-bit AES encryption, and the expansion “.Medusastealer” is added to their name.
It is funny that the Medusa version, which fell on the test representatives of Cyble, was “broken.” Since after encrypting files on the device the malicious program simply turned off for 24 hours, and then deleted all the encrypted data.
Only after the file removal, a notification of redemption appeared in which a payment was requested in the amount of 0.5 BTC (11,400 US dollars). However, there was already nothing to “redeem”. An annoying mistake was noticeably affected both on the earnings of hackers and their reputation. The case is really out of the ordinary. One way or another, the current state of the code makes it clear that the development is still under development.
A note on the redemption of Medusa
Despite the fact that in the new Medusa version there is a tool for exparing data, harmfuls will not steal user files before encryption. Instead, it focuses on the collection of basic systemic information, which helps identify the victims and evaluate the resources of their computers, which can later be used for mining or ddos attacks.
The new version of Medusa also built a program for hacking the Bubors method. She selects the accounting data for devices inside the network, then searches for other devices with Telnet services on Port 23 and tries to connect to them using the received IP addresses and a combination of accounting data. If successful, Medusa infects the system with the main payload (“infection_Medusa_stealer”), giving attackers complete freedom of action.
We are sure that this is not the last news about Medusa. The harmfulness has considerable potential. And if he also asked for money before all important files are sore, then in general – outside of competition.