Following the Trail - Meduza Stealer

And an Unexpected find: 1869 Crimean Orthodox Church Records

Shouldn’t have opened X on a Sunday morning, I was drinking my morning coffee, browsing X when I got a new post notification update from Fox_threatintel(@banthisguy9349) about a new discovery of Meduza stealer distribution server.

Wanted to have a closer look since Meduza is a prevalent stealer. The discovery showed a file called “resp.exe” found in an open directory hosted on 89[.]23.100.74

Naturally the first check is on the distribution server, however the body hash pivot returned no additional results

Distribution Server Pivot - ASN & Services

The distribution server is part of the AS56694 - Smart Ape LLC and is running services on ports 22 and 80 so we will use this information to perform the first pivot.

autonomous_system.asn=56694 AND services.port=22 AND services.port=80 and services.http.response.html_tags="<title>Index of /</title>"

# 21 Hosts Result

89[.]23.98.7
89[.]23.99.251
89[.]23.100.74
89[.]23.101.74
91[.]219.148.177
94[.]198.50.19
94[.]198.50.21
94[.]198.53.29
94[.]198.53.179
152[.]89.216.34
185[.]9.144.142
185[.]9.147.211
185[.]65.201.8
185[.]130.249.77
185[.]217.128.10
188[.]127.224.100
188[.]127.225.44
188[.]127.225.213
188[.]127.229.54
188[.]127.243.56
188[.]127.243.79

Most of the Hosts didn’t contain anything interesting but some of them had some hidden treasures like ISO of games which can contain malware, 1869 Crimean orthodox church records, which I have no clue why are hosted there or what purpose they might serve and a Telegram bot, which seems to configured for user support. This could be interesting for code analysts but I have no idea how to approach code analysis, so I am sharing the results and moving forward.

# Hosting interesting open directories

185.217.128.10
185.65.201.8
188.127.225.213

While those findings are interesting, they don’t have a direct connection with our distribution server so we will have to perform another pivot.

188.127.225[.]213 - Domains Pivoting

One of the IP hosts 2 domains so I tried looking at their certificates to find similarities. Unfortunately, certificates were not reused so couldn’t pivot further.

---

Distribution server #2

As @banthisguy9349 shared in this thread there is another server distributing the same malware. Using the information and commonalities between those two servers, we can try to identify additional distribution servers.

services.http.response.body:"Index of" AND  services.software.cpe:"cpe:2.3:o:canonical:ubuntu_linux:*:*:*:*:*:*:*:*" AND  (services.port:80 AND services.port:22) AND  NOT services.port:[0 TO 21] AND  NOT services.port:[23 TO 79] AND  NOT services.port:[81 TO 65535] AND  services.http.response.body:".exe"

27 results for servers with open directories and .exe files on ports 80 & 22, only few of the have been previously reported and nothing seems to be matching our malware file size or naming convention criteria so I’ll add the hosts here in case any of you want to explore and move on.

# Reported on VT 

37[.]120.164.104
39[.]99.131.244
78[.]141.230.133
164[.]215.103.253

# Servers with open directories containing .exe files

8.222.170[.]66
15.204.227[.]70
18.191.236[.]208
18.221.118[.]190
34.32.218[.]171
45.207.202[.]122
54.78.74[.]237
96.30.198[.]132
104.168.155[.]254
104.236.20[.]176
117.72.36[.]133
130.61.230[.]173
138.2.157[.]76
140.238.42[.]106
142.44.163[.]133
159.203.68[.]47
172.84.94[.]120
178.128.53[.]197
185.231.233[.]254
195.201.232[.]236
212.28.179[.]145
213.165.90[.]159

Pivoting - C2 193.3.19[.]151

Next pivot is done off of the C2 server reported in the initial discovery post, using the body hash from port 80 we can discover 11 hosts matching our search, all of them hosting Meduza C2 services

services.http.response.body_hashes="sha256:d49fd784cf400108347618c98b47077ea874d84aafd7d7396f260b92d75801de"

Lastly, it seems like the hosts distribution is pretty concentrated on AS 210644( Aeza International Ltd ) which is something that can be used in hunting rules.

As always, there are many threads that can be pulled and different paths to follow and probably lead to more interesting findings so feel free to explore and reach out if you are interested to collaborate.
Take care, thanks!

---

IOC

# Meduza Distribution Server

89.23.100[.]74

# Meduza C2 

193.3.19[.]151
5.252[.]155.28
45.130[.]145.152
62.60[.]245.252
93.123[.]85.46
95.181[.]162.143
95.181[.]167.11
109.120[.]140.242
147.45[.]78.74
176.124[.]205.86
193.124[.]203.119

# Potential Distribution Servers (moderate confidence)

37[.]120.164.104
39[.]99.131.244
78[.]141.230.133
164[.]215.103.253

Comments

[Varun Malhotra]

Great write-up! I hope you enjoyed your coffee 😀