On Monday 2019-08-12, I had captured a malware payload sent through Rig Exploit Kit (EK), and it generated post-infection traffic that I was unfamiliar with. I asked what the malware was over Twitter, and @fletchsec identified it as MedusaHTTP. Thanks to everyone who responded to my original tweet!
Today’s ISC diary reviews the MedusaHTTP malware sample I found on Monday 2019-08-12.
The malware family
According to NETSCOUT, MedusaHTTP is an HTTP-based malware written in .NET used to create a distributed denial of service (DDoS) botnet. MedusaHTTP first appeared in 2017, and it’s based on earlier malware called MedusaIRC. In 2017, command and control (C2) communications for MedusaHTTP were in clear text. The sample I found used base64 strings for much of its C2 traffic. Data used in the base64 strings were encoded or otherwise encrypted, so I could not determine the actual data.
The image below displays traffic from the original infection on Monday 2019-08-12 filtered in Wireshark. First is Rig EK traffic, followed by post-infection traffic caused by MedusaHTTP malware.
Much like traffic from the 2017 sample, HTTP POST requests from an infected Windows host to a C2 server returned HTTP/1.1 100 Continue. The infected Windows host then sent a string starting with xyz= followed by what looks like a base64 string. During my initial infection traffic, the C2 server replied with cookie data that started with btst= and included the public IP address of the infected Windows host and some Unix-based timestamps as shown below.
The base64 string in the POST data after xyz= was different for every HTTP request. Cookie data returned from the C2 server included a string of hex characters that changed with every response.
I infected another Windows host less than 24 hours after the initial infection with the same MedusaHTTP sample. This time, I saw web traffic to various casino-related domains, and the C2 server responded with data as a base64 string and no cookies.
MedusaHTTP updates the Windows registry to maintain persistence after a reboot. The EXE for MedusaHTTP was saved under the infected user’s AppDataRoaming folder.
Indicators of compromise (IoCs)
- File size: 571,904 bytes
- File location: C:Users[username]AppDataRoamingGoogle Auto Updater.exe
- File description: MedusaHTTP malware persistent on an infected Windows host
Post-infection C2 traffic:
- 176.119.29[.]14 port 80 – cdnshop78[.]world – POST /forums/members/api.jsp
- 195.22.26[.]248 port 80 – mtcunlocker[.]info – POST /forums/members/api.jsp
- DNS queries for bbouble[.]xyz – Standard query responses: A bbouble[.]xyz SOA ns1.reg.ru
This specific sample of MedusaHTTP appears to be targeting casino domains. Since MedusaHTTP is DDoS botnet malware, web traffic to casino domains from my infected Windows host was likely targeting these domains in conjunction with other infected Windows hosts.
Pcaps and malware for this diary can be found here.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.