Introduction On Monday 2019-08-12, I had captured a malware payload sent through Rig Exploit Kit (EK), and it generated post-infection traffic that I was unfamiliar with. I asked what the malware was over Twitter, and @fletchsec identified it as MedusaHTTP. Thanks to everyone who responded to my original tweet! In 2017, Arbor Networks (now part of NETSCOUT) published a blog about MedusaHTTP using a sample originally reported by @Zerophage1337 which was also seen after an infection through Rig EK. Today's ISC diary reviews the MedusaHTTP malware sample I found on Monday 2019-08-12. The malware family According to NETSCOUT, MedusaHTTP is an HTTP-based malware written in .NET used to create a distributed denial of service (DDoS) botnet. MedusaHTTP first appeared in 2017, and it's based on earlier malware called MedusaIRC. In 2017, command and control (C2) communications for MedusaHTTP were in clear text. The sample I found used base64 strings for much of its C2 traffic. Data used in the base64 strings were encoded or otherwise encrypted, so I could not determine the actual data. Infection traffic The image below displays traffic from the original infection on Monday 2019-08-12 filtered in Wireshark. First is Rig EK traffic, followed by post-infection traffic caused by MedusaHTTP malware.
Much like traffic from the 2017 sample, HTTP POST requests from an infected Windows host to a C2 server returned HTTP/1.1 100 Continue. The infected Windows host then sent a string starting with xyz= followed by what looks like a base64 string. During my initial infection traffic, the C2 server replied with cookie data that started with btst= and included the public IP address of the infected Windows host and some Unix-based timestamps as shown below.
The base64 string in the POST data after xyz= was different for every HTTP request. Cookie data returned from the C2 server included a string of hex characters that changed with every response.
I infected another Windows host less than 24 hours after the initial infection with the same MedusaHTTP sample. This time, I saw web traffic to various casino-related domains, and the C2 server responded with data as a base64 string and no cookies.
Post-infection forensics MedusaHTTP updates the Windows registry to maintain persistence after a reboot. The EXE for MedusaHTTP was saved under the infected user's AppData\Roaming folder.
Indicators of compromise (IoCs) SHA256 hash: 17901948c9c9f2f0d47f66bbac70592a7740d181f5404bf57c075ed6fa165b67
Post-infection C2 traffic:
Final words This specific sample of MedusaHTTP appears to be targeting casino domains. Since MedusaHTTP is DDoS botnet malware, web traffic to casino domains from my infected Windows host was likely targeting these domains in conjunction with other infected Windows hosts. Pcaps and malware for this diary can be found here. --- |
Brad 433 Posts ISC Handler Aug 14th 2019 |
Thread locked Subscribe |
Aug 14th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!