Fraud Management & Cybercrime , Ransomware , Security Operations
MedusaLocker Server Likely Spotted in the Wild
Self-Signed Certificate of Red Team Tool Leads to 'Smoking Gun'An internet scan for pen testing tools on Russian servers unveiled a web of hosts potentially used to launch ransomware attacks by a crime group known for targeting the healthcare industry.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
Attack surface risk firm Censys says it came across a Russian server with a collection of red teaming tools used to compromise hosts and maintain control. Further analysis connected the initial server with another Russian server that, as recently as mid-June, contained a malware kit pointing to an online domain used by the MedusaLocker group.
The U.S. federal government issued a warning earlier this month about MedusaLocker ransomware, saying it exploits unsecured remote desktop software and uses phishing campaigns. Cybereason in 2020 found the malware to be prevalent in the healthcare industry. Medical centers are especially likely to pay ransomware given practitioners' reluctance to disrupt patient care (see: Hackers Claim Drug Data Theft as Reports Warn Health Sector).
Censys says it identified the server with the MedusaLocker malware kit through an iterative process that began with an examination of 7.4 million Russian hosts visible to its internet scans. Two hosts stood out since they contained the Metasploit pen tester and Deimos C2, an open-source command-and-control tool. Further analysis revealed that one of the hosts also had web vulnerability tester Acunetix and had used PoshC2, a red team tool used post-exploitation.
The presence of PoshC2 in particular led Censys to the server with signs of connections to MedusaLocker. By default, PoshC2 creates a self-signed certificate for its HTTP server, the values for which are stored in the file poshc2/server/Config.py
. These values are not stored in the config.yml
configuration file and are therefore harder to change.
The certificate used on the server is listed as an indicator of compromise by the PoshC2 developer, and Censys was able to locate it on just eight other servers after a worldwide search. The company later discovered a ninth host. Other servers in that group also had malware kits on them, but only the one server contained what Censys calls "smoking gun" evidence of connection to MedusaLocker.
It's the presence of a malware kit with restoreassistance_net@decorous[.]cyou
appended to each of the files. MedusaLocker uses decorous[.]cyou
domains to email with victims.
It is possible, the company allows, that the server in question is a victim of hackers, but the persistence of a malware kit that has been modified over time is more in line with the behavior of attackers, it adds.
Censys also spotted servers with the malicious PoshC2 certificate in California, Ohio and Taiwan, as well as other servers in Russia. An active user of Malware Bazaar with the handle @r3dbU7z lists one of the other Russia hosts as part of the MedusaLocker group.