We have seen many data stealers siphon off confidential data from victims’ devices over the years.1 And their perpetrators usually employed simple tactics like social engineering and phishing to install the malware on target systems. The Meduza Stealer may be the first stealer we analyzed that exploited a vulnerability.
An in-depth investigation of the Meduza Stealer unveiled 16 indicators of compromise (IoCs) comprising 13 domain names and three IP addresses earlier this month.2
In a bid to uncover more potentially connected artifacts not yet published, we expanded the current list of IoCs using WHOIS, IP, and DNS intelligence. Our analysis led to the discovery of:
- Nine email-connected domains
- 18 additional IP addresses, 17 of which turned out to be malicious
- One IP-connected domain
- 149 string-connected domains, five of which turned out to be associated with various threats
Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
—
- [1] https://main.whoisxmlapi.com/wxa-research-center/threat-reports?q=stealer
- [2] https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed