The second screenshot shows a skype account named Matthew, which we believe is the author’s real account. Screenshot showing indications of Medusa and Cyperine On the right side, Skype is opened and the user is logged in as Gamerion24/rE-BoOt, and it looks like they are giving an online demo.įigure 04. One includes the Medusa builder window on the left, with the Gmail account opened in the background, which is the same as the one we identified in the previous info stealer, Cyperine. Some of the screenshots are quite interesting, as seen below. Fortunately, the info stealer tool features captured screenshots that allowed us to conduct further checks. Of course, using only this information, Matthew could be anyone. Taking a look at the “Pc Info” section, we see the machine name is Matthew, which is the same name used by the signers DESKTOP-DIEEPUR\Matthew that we discovered in the two previous info stealers we analyzed. Logs captured from the info stealer malware Below is the information we captured during the testing of Medusa.įigure 02.
Luckily, during the testing of Medusa the author infected his own computer, and his information was sent to the account we were monitoring. Since we were able to obtain the author’s credentials from the Cyperine sample through reverse engineering, we then monitored email being sent to that account using the web panel. In addition, the (the author’s email address) seen in the Medusa builder input field is fairly familiar, since this is the email address of the receiver of stolen information we identified in our previous blog, which makes us believe that the account owner (Deadzeye) is the author. This is important, since we will use this information to back up our claim that we have been able to identify the author. The builder signatures clearly show that both of these variants were made by the same author, who goes by the name rE-BoOt and uses the skype name Gamerion24. Builder comparison between Cyperine (Left) and Medusa (Right) The example below compares Cyperine on the left and Medusa on the right, which shows a user logged in as Deadzeye.įigure 01. While it basically has the same featurse as Cyperine, you now need a valid account to access the builder. Following our research on Cyperine 2.0 and Next Man History Stealer, the malware author rebranded their info stealer as Medusa.
0 kommentar(er)
