The latest bust by Russian authorities has destroyed the familiar image of the hacker as a villain who wears a black hoodie. The Meduza Infostealer malware developers appear to be more like kids who play Roblox.
The video recording suggests it was early morning when the Russian officers, with the support of the Rosgvardia forces, raided a few apartments, arresting suspected cybercriminals.
One of the teenagers, pressed to the ground by an operative in a bulletproof vest, was wearing pajama pants with Hello Kitty logos.
Another tense moment of the raid depicts a shirtless, skinny young suspect lying prone on a light wooden floor in a modest bedroom.
Three young individuals, referred to as “IT specialists,” were detained, suspected of creating, using, and distributing Meduza infostealer malware. During the raids, the officers also seized computer equipment, communication devices, bank cards, and other items.
The gang has been distributing this malware-as-a-service for two years already on illicit hacker forums. According to HudsonRock’s report, Meduza is a capable credential-harvesting tool that specializes in siphoning login details, crypto wallet data, and other sensitive information from infected Windows systems.
The group is suspected of breaching a government institution in Astrakhan, Russia, earlier this year, copying protected official data, which served as a key trigger for the probe.
“It was established that the detainees also developed and distributed another type of malware. It is designed to neutralize computer security systems and create botnets – networks of infected computers used for large-scale cyberattacks,” the Ministry of Internal Affairs of Russia said in a press release.
The three detainees now face criminal charges. The authorities continue the investigation to identify other accomplices and crimes.
$199 monthly subscription
Meduza Infostealer emerged in cybercrime circles in June 2023. It was marketed on cybercrime forums and Telegram channels as a Windows trojan, a superior alternative to other established stealers, such as Redline, Racoon, or Vidar. According to Hudson Rock’s report, the malware’s price was $199 for a one-month subscription, or $1,199 for lifetime access.
”The malware boasts a user-friendly GUI for attackers, allowing easy customization and log management,” the researchers acknowledged.
Meduza infostealer supports nearly all popular web browsers, over 100 in total, including Chrome, Edge, Firefox, Opera, Brave, Yandex, and others. On compromised computers, it extracts login credentials, cookies, browsing history, bookmarks, autofill data, and local storage.
However, the main focus is cryptocurrency. It targets more than 100 wallets, including browser extensions like MetaMask, Trust Wallet, and Binance Chain, as well as standalone apps like Exodus, Coinomi, and Bitcoin Core. It steals wallet files, seeds, and registry data.
Password managers are also affected. Malware is capable of extracting credentials from 1Password, LastPass, Bitwarden, Dashlane, and KeePassXC, as well as 2FA extensions such as Authenticator and Authy.
Other core features include stealing from messaging apps Telegram and Discord, gaming platforms (Steam), VPNs (OpenVPN), email clients (Outlook), and miner-related data.
“Prior to the arrests, the Meduza team was vocal on forums, positioning their tool as a “stable and ideal” stealer with ongoing updates,” Hudson Rock researchers said.
“They emphasized non-ransomware focus, AV evasion, and custom features like file grabbers – echoing sentiments from similar infostealer creators.”
While the arrest is likely to deter future development, the researchers believe that the code “could live on through forks or resales.”
This Meduza group is distinct from the notorious Medusa ransomware group, which compromised over 300 high-profile organizations worldwide. However, this ransomware gang is also likely operating from Russia, as it has built-in functionality that excludes countries in the CIS region, such as Russia, Kazakhstan, and Belarus..
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked