Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Stealer allows you to steal data from browsers and password managers.
Since the beginning of 2024, Russian industrial companies have been subjected to active attacks by hackers using Meduza malware to steal data. This software is distributed through the darknet, although its developers have previously restricted its use in Russia and the CIS countries. This fact was confirmed by representatives of BI. Zone, F.A.C.C.T. and Kaspersky Lab in an interview with Vedomosti.
The identity of Meduza's creators remains unknown, but hackers often impose territorial restrictions on the use of their programs in the regions where they themselves are located, a BI representative explains. Zone Threat Intelligence. He noted that hackers expect that it will be more difficult to identify them and bring them to justice if their software is not used against local companies.
According to BI. Zone, since the beginning of the year, hackers have attacked nine companies in the field of industrial automation in Russia and the CIS countries using Meduza stealer. Companies from the transport and industrial sectors have also been subjected to similar attacks, according to Jet Infosystems. Representatives of F.A.C.C.T. and Solar also recorded attacks by an organization of the energy industry with the help of Meduza. According to Kaspersky Lab statistics, about half of all Meduza attacks since the beginning of the year have occurred in Russia, followed by the United States, Germany and China. The exact number of attacks was not disclosed.
Meduza was actively used by the Stone Wolf hacker group. The representative of BI. Zone said that the attackers sent victims emails with malicious attachments and legitimate lure documents. When clicking on a malicious link from the email, the user opened a PDF file and automatically activated the Meduza installation. This malware allowed hackers to access data from browser extensions, password managers, and read incoming messages with two-factor authentication codes from the device.
Infosec companies do not disclose the total number of phishing emails that include Meduza, but have noted a significant increase in phishing attacks over the past year. In January-June 2024, the share of emails with malicious links in corporate email traffic more than doubled compared to the average level of 2023 – by 105%, according to Vedomosti. In addition, from January to June 2024, the number of detections of Kaspersky solutions for emails with malware increased by 46% (from 575,286 emails per month to 837,005).
The trend of violating the geographical bans of malware developers began in 2023 and has intensified since the beginning of 2024, in particular, the Meduza stealer appeared on shady resources in June 2023. Rebuilding and removing restrictions from malware to refine it is not uncommon, although not the most common practice, said the representative of InfoWatch ARMA. When it becomes known about the use of pirated versions of malware, sales on shadow forums are blocked, and developers move to Telegram. This happened with White Snake and Rhadamantys, which attacked Russian companies in 2023 and 2024, respectively.
According to experts, Meduza's developers have repeatedly received personal orders for malware on one of the largest hacker forums on the Russian Internet. They note that developers try not to work for organizations in the CIS, but they cannot influence customers.
The ban on the use of malware in certain regions and the ban on its reverse analysis are often violated, which is confirmed by a representative of Jet CSIRT. He added that attackers are constantly changing tools to expand the scope of attacks and find workarounds to protect themselves. Violation of such bans is not welcome even on hacker forums, which was confirmed by the blocking of the Meduza seller on the XSS shadow platform in June 2024 for "working in the zone. ru/ex-USSR", said the leading expert of Kaspersky GReAT.
The reasons for violating the ban on the use of malware can be different: from economic benefits to political and cultural motives, explains a representative of the NTI Competence Center. According to BI. Zone, in 73% of cases, commercial malware is used by financially motivated attackers seeking to receive a ransom or sell stolen data. In 14% of cases, the software is used for espionage, and in 10% - for mixed motives. Hacktivists account for only 3% of such attacks.
Source
Since the beginning of 2024, Russian industrial companies have been subjected to active attacks by hackers using Meduza malware to steal data. This software is distributed through the darknet, although its developers have previously restricted its use in Russia and the CIS countries. This fact was confirmed by representatives of BI. Zone, F.A.C.C.T. and Kaspersky Lab in an interview with Vedomosti.
The identity of Meduza's creators remains unknown, but hackers often impose territorial restrictions on the use of their programs in the regions where they themselves are located, a BI representative explains. Zone Threat Intelligence. He noted that hackers expect that it will be more difficult to identify them and bring them to justice if their software is not used against local companies.
According to BI. Zone, since the beginning of the year, hackers have attacked nine companies in the field of industrial automation in Russia and the CIS countries using Meduza stealer. Companies from the transport and industrial sectors have also been subjected to similar attacks, according to Jet Infosystems. Representatives of F.A.C.C.T. and Solar also recorded attacks by an organization of the energy industry with the help of Meduza. According to Kaspersky Lab statistics, about half of all Meduza attacks since the beginning of the year have occurred in Russia, followed by the United States, Germany and China. The exact number of attacks was not disclosed.
Meduza was actively used by the Stone Wolf hacker group. The representative of BI. Zone said that the attackers sent victims emails with malicious attachments and legitimate lure documents. When clicking on a malicious link from the email, the user opened a PDF file and automatically activated the Meduza installation. This malware allowed hackers to access data from browser extensions, password managers, and read incoming messages with two-factor authentication codes from the device.
Infosec companies do not disclose the total number of phishing emails that include Meduza, but have noted a significant increase in phishing attacks over the past year. In January-June 2024, the share of emails with malicious links in corporate email traffic more than doubled compared to the average level of 2023 – by 105%, according to Vedomosti. In addition, from January to June 2024, the number of detections of Kaspersky solutions for emails with malware increased by 46% (from 575,286 emails per month to 837,005).
The trend of violating the geographical bans of malware developers began in 2023 and has intensified since the beginning of 2024, in particular, the Meduza stealer appeared on shady resources in June 2023. Rebuilding and removing restrictions from malware to refine it is not uncommon, although not the most common practice, said the representative of InfoWatch ARMA. When it becomes known about the use of pirated versions of malware, sales on shadow forums are blocked, and developers move to Telegram. This happened with White Snake and Rhadamantys, which attacked Russian companies in 2023 and 2024, respectively.
According to experts, Meduza's developers have repeatedly received personal orders for malware on one of the largest hacker forums on the Russian Internet. They note that developers try not to work for organizations in the CIS, but they cannot influence customers.
The ban on the use of malware in certain regions and the ban on its reverse analysis are often violated, which is confirmed by a representative of Jet CSIRT. He added that attackers are constantly changing tools to expand the scope of attacks and find workarounds to protect themselves. Violation of such bans is not welcome even on hacker forums, which was confirmed by the blocking of the Meduza seller on the XSS shadow platform in June 2024 for "working in the zone. ru/ex-USSR", said the leading expert of Kaspersky GReAT.
The reasons for violating the ban on the use of malware can be different: from economic benefits to political and cultural motives, explains a representative of the NTI Competence Center. According to BI. Zone, in 73% of cases, commercial malware is used by financially motivated attackers seeking to receive a ransom or sell stolen data. In 14% of cases, the software is used for espionage, and in 10% - for mixed motives. Hacktivists account for only 3% of such attacks.
Source
