HQ/EMEAFind out how we can help your business
Researchers discovered a newly improved version of the Medusa botnet in the cybercriminal landscape. This Mirai-coded botnet featured a ransomware module and a Telnet brute-force capabilities with distributed denial-of-service (DDoS) functions.
This first campaign from the Medusa botnet operators occurred nearly a decade ago after researchers found their botnet advertised in underground markets. In 2017, the threat actors updated their botnet by equipping it with HTTP-based DDoS capabilities.
Based on reports, the new version is an extension of an older model but acquired additional functionalities to become more sophisticated and infect numerous targets.
The Medusa botnet operators have continued targeting Linux servers with their new malware version.
The latest version of the Medusa botnet obtained the older variant’s Linux targeting capabilities. However, the new version included distributed denial-of-service options derived from the leaked source code of the Mirai botnet.
In addition, the newly upgraded botnet is now advertised by its developers as a Malware-as-a-Service for cryptocurrency mining and DDoS. The new version of Medusa also includes data exfiltration tools but does not steal users’ files before the encryption process commences.
Instead, it gathers system information necessary for the operators to execute the DDoS and cryptocurrency mining campaigns.
Unfortunately for Linux users, one of the most critical aspects of the new Medusa botnet is the inclusion of a ransomware function that allows it to scour directories for file types that should go through encryption.
The botnet’s primary targeted file types are documents and vector design archives. Subsequently, the threat actors encrypt these targeted files via the AES 256-bit algorithm and append the file with the [.]medusastealer extension.
Some researchers claim that the encryption method appears broken since the attack deletes all the encrypted files from the system drives. The campaign only displays the ransom note after the targeted files are deleted.
These encryption flaws from the new Medusa botnet variant show that the malware is still in the development stage. In addition, the final payload has incomplete support for several commands. However, cybersecurity experts claimed that these threat actors would put more effort into completing their new botnet.
