A variation of the Mirai botnet was spotted downloading and spreading a new botnet. Dubbed “Medusa Botnet”, it connects to the command and control server once activated and obtains the “medusa_stealer.sh” file, which it then runs.
Mirai, the malware that targets smart devices powered by ARC processors and transforms them into a network of bots or “zombies” that can be remotely controlled. This network, referred to as a botnet, is frequently employed to carry out DDoS (Distributed Denial of Service) attacks.
Researchers at the Cyble Research and Intelligence Labs (CRIL), in collaboration with the Cyble Global Sensor Intelligence (CGSI), identified a new variant of the Mirai botnet.
Mirai, which thrives on vulnerabilities in systems running Linux, was found downloading the Medusa botnet. The botnets can launch several types of cyberattacks, including Distributed Denial of Service (DDoS) and ransomware attacks.
While researchers found some incapabilities in the programming of the Medusa botnet, it still successfully launched DDoS attacks on certain levels of the network, including layers 3, 4, and 7. The Medusa botnet and Mirai botnet launch brute force attacks that use several attempts to guess the password of the target, among other credentials.
Details found in the medusa_stealer.sh file (Photo: Cyble)
The Mirai botnet downloads the medusa_stealer.sh file when it connects to the command and control (C&C) server.
Researchers found the features of the Medusa botnet, written in the Python script, which is confirmed by seeing the source code of the botnet. The following are the four found parameters of the Medusa botnet:
- ‘Method’ for taking attack-related commands from the C&C server.
- ‘IP’ to access the IP address of the victim
- ‘Port’ to collect the port number
- ‘Timeout’ to stop the attack
The Medusa botnet attacked networks using either spoofed IP addresses or the IP address of the victims. This was done using the spoofer() function. It would keep creating new IP addresses to not be detected.
Spoofer() function of the Medusa botnet (Photo: Cyble)
Ransomware attacks launched by the Medusa botnet
Similarly, the Medusa botnet used the MedusaRansomware() function to launch a ransomware attack. It encrypts all the files mentioned in the ‘extensions’ list by adding the .medusastealer extension to the file names.
It encrypts files with a Python library using an AES 256-bit encryption key sparing only the system files and those that are already encrypted. It targets files with several extensions including:
- .js
- .rb
- .go
- .html
- .docm
- .dotm
- .xsl
- .svg
- .wsf
- .wsh
Snippet of Medusa’ ransomware function (Photo: Cyble)
It deletes all the files in the system drive and leaves a ransom. Following the encryption of files, the Medusa botnet is programmed to sleep for 24 hrs. CRIL researchers found the ransom note to be faulty in its implementation.
Brute force attacks launched by the Medusa botnet
The Medusa botnet launches brute force attacks on internet-connected devices using the ScanWorld function. Thereafter, it injects several other malicious payloads.
It defines containing common usernames and passwords through username_scanner and password_scanner. Upon successfully gaining access to a Telnet device, it sends a malicious payload using infection_medusa_stealer.
Backdoor access and SSH login attempts are made using FivemBackdoor and sshlogin code. A lack of related codes in the Python file let the researchers know that the Medusa botnet is not fully established or implemented.
The botnet collects the system information upon successful attack using the send_data() function, which is then sent to the cyberattacker’s remote server at hxxps://medusa-stealer[.]cc/add/bot. Details such as the username, IP address, operating system, hostname, CPU, and RAM usage are sent using the send function.
Details about the Mirai botnet
Mirai has been active since 2016 and targets Linux-based devices through routers, IP cameras, and IoT devices. It exploits vulnerabilities in these devices to gain initial access and can download other malware as programmed by the cybercriminal to exfiltrate data from various locations.
Cyberattacks observed by CRIL in January 2023 using the Mirai botnet (Photo: Cyble)
Since the Mirai Linux botnet is worked upon to target Linux machines, researchers are urging users to be cautious of downloading or accessing emails and links from unknown IP addresses and URLs.