Fortinet recently discovered a Meduza Stealer variant that has been taking advantage of the Microsoft Windows SmartScreen vulnerability CVE-2024-21412. The Meduza stealer lets remote attackers bypass the SmartScreen security warning dialog to deliver malicious files.

This particular campaign spreads malicious PDF files that exploit CVE-2024-21412 to download and execute malware like the Meduza Stealer. The final payload? Data stolen from victims’ computers are sent to a command-and-control (C&C) server. It is also interesting to note that the threat actors designed PDF files to target specific regions, including North America, Spain, and Thailand.

The researchers published their findings earlier this month, including 16 indicators of compromise (IoCs) comprising 13 domain names and three IP addresses. Using them as jump-off points for an IoC list expansion analysis, the WhoisXML API research team uncovered connected artifacts that have not yet been named, namely:

• Nine email-connected domains
• 18 additional IP addresses, 17 of which turned out to be malicious
• One IP-connected domain
• 149 string-connected domains, five of which turned out to be associated with various threats

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the Meduza Stealer Indicators of Compromise

First off, we sought to find more information about the published IoCs starting with a bulk WHOIS lookup for the 13 domains identified as IoCs. Our query led to these findings:

• A majority of them, 69% to be exact (nine domain IoCs), were registered with GoDaddy. The rest of the registrars—Dynadot, FastDomain, Namecheap, and NiceNIC—accounted for one domain IoC each.

  

• One of the domain IoCs was old, created way back in 2016 while the other 12 were newly created, just this year.

• A majority of them, 85% to be exact (11 domain IoCs), were registered in the U.S. China and Iceland accounted for one domain IoC each.

  

Next, we ran a bulk IP geolocation lookup for the three IP addresses identified as IoCs and found out that:

• They were split across two geolocation countries. Two of them were geolocated in the Netherlands while one originated from Germany.

  

• Two of the IP address IoCs were administered by Global Connectivity Solutions while one was under Aeza.

  

Expanding the List of Meduza Stealer Indicators of Compromise

To find artifacts potentially connected to Meduza Stealer, we first queried the 13 domain IoCs on WHOIS History API. The results showed that they had four email addresses in their historical WHOIS records, two of which were public.

Using the two public email addresses as Reverse WHOIS API search terms led to the discovery of nine email-connected domains after filtering out duplicates and the IoCs.

Next, we queried the 13 domain IoCs on DNS Lookup and found out that while three did not have active IP resolutions, the remaining 10 resolved to 18 IP addresses not yet on the original IoC list. Threat Intelligence Lookup showed that 17 of them were associated with various threats.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.