Company cybersecurity experts uptycs reported the discovery of the Meduza Stealer malware designed for it “Complex data theft”. The virus monitors “User activity on the Internet, extraction of huge amounts of data related to browsers”.
Meduza also intercepts data from browser extensions: cryptocurrency wallets, password managers, and two-factor authentication tools. To avoid detection, the virus stops working when the connection to the attacker’s server is lost. If a system is detected on the territory of the CIS and Turkmenistan, Meduza will launch a self-destruct mechanism.
During operation, the virus intercepts browser data, collects information from the Windows system registry and even sends a list of games installed on the victim’s computer to the control server. The developers also took care of convenient malware management: the web interface displays information that Meduza collected on the victim’s computer, as well as tools for downloading or deleting this data.
Found advertisements for sale of copies of Meduza Stealer on the dark web. The purchase of a “license” is done via Telegram. The malware is sold as a subscription for $199 per month or as a one-time payment for $1,199.