|
Fortinet recently discovered a Meduza Stealer variant that has been taking advantage of the Microsoft Windows SmartScreen vulnerability CVE-2024-21412. The Meduza stealer lets remote attackers bypass the SmartScreen security warning dialog to deliver malicious files.
This particular campaign spreads malicious PDF files that exploit CVE-2024-21412 to download and execute malware like the Meduza Stealer. The final payload? Data stolen from victims’ computers are sent to a command-and-control (C&C) server. It is also interesting to note that the threat actors designed PDF files to target specific regions, including North America, Spain, and Thailand.
The researchers published their findings earlier this month, including 16 indicators of compromise (IoCs) comprising 13 domain names and three IP addresses. Using them as jump-off points for an IoC list expansion analysis, the WhoisXML API research team uncovered connected artifacts that have not yet been named, namely:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
First off, we sought to find more information about the published IoCs starting with a bulk WHOIS lookup for the 13 domains identified as IoCs. Our query led to these findings:
A majority of them, 85% to be exact (11 domain IoCs), were registered in the U.S. China and Iceland accounted for one domain IoC each.
Next, we ran a bulk IP geolocation lookup for the three IP addresses identified as IoCs and found out that:
Two of the IP address IoCs were administered by Global Connectivity Solutions while one was under Aeza.
To find artifacts potentially connected to Meduza Stealer, we first queried the 13 domain IoCs on WHOIS History API. The results showed that they had four email addresses in their historical WHOIS records, two of which were public.
Using the two public email addresses as Reverse WHOIS API search terms led to the discovery of nine email-connected domains after filtering out duplicates and the IoCs.
Next, we queried the 13 domain IoCs on DNS Lookup and found out that while three did not have active IP resolutions, the remaining 10 resolved to 18 IP addresses not yet on the original IoC list. Threat Intelligence Lookup showed that 17 of them were associated with various threats.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byDNIB.com