gary_seven 2 Posted July 3, 2023 Share Posted July 3, 2023 https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work From the article: "What's more concerning is that a large portion of antivirus software has proven ineffective against the Meduza stealer binary, either failing to detect it statically or dynamically. (Fig. 2, Fig. 3)." Fig.2 – Static AV scan report Fig.3 – Dynamic AV scan report Peter Randziak 1 Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 3, 2023 Share Posted July 3, 2023 One more example of ESET's DNA detection in action, I suppose. Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 3, 2023 Share Posted July 3, 2023 Just now, SeriousHoax said: One more example of ESET's DNA detection in action, I suppose. So, you "suppose" or you know for a fact that this is a DNA detection? Link to comment Share on other sites More sharing options...
itman 1,741 Posted July 3, 2023 Share Posted July 3, 2023 (edited) There might be some malware "tweaking" going on here. Or, he lucked out and caught his sample while it was still in the "wild." Based on the IOCs listed in this article: https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/ , very high detection rate at VT: https://www.virustotal.com/gui/file/702abb15d988bba6155dd440f615bbfab9f3c0ed662fc3e64ab1289a1098af98 . In any case, it's good to see Eset detected it. -EDIT- Also his scan shows only 26 vendors which means he did not scan at VT. The above linked VT sample was posted on 5/29. His scan was done on 6/27. Something not right here. Edited July 3, 2023 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 3, 2023 Share Posted July 3, 2023 (edited) 10 minutes ago, SeriousHoax said: One more example of ESET's DNA detection in action, I suppose. Unless ESET had already got their hands on the sample that was analyzed there, it should be a DNA detection. Quote We perform deep analysis of the code and extract “genes” that are responsible for its behavior and construct ESET DNA Detections, which are used to assess potentially suspect code, whether found on the disk or in the running process memory. DNA Detections can identify specific known malware samples, new variants of a known malware family or even previously unseen or unknown malware that contains genes that indicate malicious behavior. Edited July 3, 2023 by SeriousHoax Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 4, 2023 Share Posted July 4, 2023 (edited) 14 hours ago, itman said: -EDIT- Also his scan shows only 26 vendors which means he did not scan at VT. The above linked VT sample was posted on 5/29. His scan was done on 6/27. Something not right here. Because they are not the same samples. You're VT link is an older sample. The two samples IOC provided in the research blog OP posted are not present in Virustotal. Also, they performed dynamic analysis also so it's clear that out of those 26 vendors, only ESET detected it at that time. Out of reputable vendors, I only see that Norton wasn't tested. Edited July 4, 2023 by SeriousHoax Link to comment Share on other sites More sharing options...
itman 1,741 Posted July 4, 2023 Share Posted July 4, 2023 (edited) 5 hours ago, SeriousHoax said: The two samples IOC provided in the research blog OP posted are not present in Virustotal Maybe not. If you refer to the URL section of the Uptycs article, shown is a VT graph. Note what is shown on the VT graph are hashes of other like Meduza samples Uptycs found that are publicly accessible. Again, Uptycs states this is the same malware. I checked the hashes shown in the VT graph and they all have a high vendor detection rate at VT. Furthermore, these samples were posted to VT at or around 6/15/2023; two weeks prior to Uptycs supposed comparative vendor scan of their malware samples. I stand by my contention that something is not right with the samples that Uptycs highlighted in their article. Add to this the fact that Uptycs never posted their samples to VT for a vendor comparative scan. I state that the Uptycs article is a scam. To add to the confusion here, Uptycs named their detection Meduza versus prior like malware being named Medusa. Then you have outfits like RussianPanda.com referring to the older variants as Meduza versus Medusa. Edited July 4, 2023 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 4, 2023 Share Posted July 4, 2023 3 hours ago, itman said: Maybe not. If you refer to the URL section of the Uptycs article, shown is a VT graph. Note what is shown on the VT graph are hashes of other like Meduza samples Uptycs found that are publicly accessible. Again, Uptycs states this is the same malware. I checked the hashes shown in the VT graph and they all have a high vendor detection rate at VT. Furthermore, these samples were posted to VT at or around 6/15/2023; two weeks prior to Uptycs supposed comparative vendor scan of their malware samples. Yeah, I checked those too last night and they are indeed present in VT. Maybe one wasn't? I forgot. But the two MD5 they shared on their site are not present in VT. 3 hours ago, itman said: I stand by my contention that something is not right with the samples that Uptycs highlighted in their article. Add to this the fact that Uptycs never posted their samples to VT for a vendor comparative scan. I state that the Uptycs article is a scam. WoW that's a big claim. I don't know about it being a scam. But why would they show ESET's detection? About sample not being in VT is not uncommon. Specially if the vendors also sell threat intelligence service. For example, ESET have not always shared their researched samples on VT but it's understandable. ESET is also a well-known and respected company while I don't know much about Uptycs. But releasing scam research where everyone but one didn't detect wouldn't go unnoticed in other vendors eyes. So, I can't comment on that. Link to comment Share on other sites More sharing options...
itman 1,741 Posted July 4, 2023 Share Posted July 4, 2023 (edited) 45 minutes ago, SeriousHoax said: But why would they show ESET's detection? It's not uncommon for malware testers to "tweak" malware. AV lab, MRG Effitas, is best know for this via its simulated malware testing. For example, they used a "tweaked" Chaos 3 ransomware sample in a number of tests which Eset had a hard time detecting. The difference in AV labs doing this type of testing and others doing so is the AV lab fully discloses the synthetic malware testing. The "giveaway" for me in the Uptycs testing is at least they had one well know AV detect their sample. Assumed is they left a code snippet or the like in the malware samples they knew Eset would detect. or the code was left in place by accident. This lends legitimacy to that the malware was discovered in the "wild." Finally, Uptycs did not disclose where/how they did their comparative vendor product testing. This puts them the category of all the ad hoc testers on the web. There is also an established practice in the security community to disclose 0-day malware upon detection to prevent the spread of the malware. One way of doing so is by uploading the malware to VT. Edited July 4, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,741 Posted July 4, 2023 Share Posted July 4, 2023 (edited) There is another possibility in regards to these Uptycs malware samples. They stated in their article that they monitor the Dark Web and like nasty places. They could have been able to "pilfer" a beta version of this latest Medusa malware variant prior to it being released in the wild. This would explain the non-public disclosure of their malware samples lest their surveillance activities be exposed. However, there is no way of knowing if the final production version of this latest Medusa variant contained code that could be identified by other security solutions when it was released to the wild. Based on this: https://www.virustotal.com/gui/file/2ad84bfff7d5257fdeb81b4b52b8e0115f26e8e0cdaa014f9e3084f518aa6149 ,TrendMicro is detecting it as SmokeLoader plus most of the behavior based security solutions also are detecting it. This leads me to believe additional detectable code was inserted into the production version. What is interesting is Kaspersky doesn't detect it. Edited July 4, 2023 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted July 6, 2023 Most Valued Members Share Posted July 6, 2023 (edited) On 7/4/2023 at 10:50 PM, itman said: There is another possibility in regards to these Uptycs malware samples. They stated in their article that they monitor the Dark Web and like nasty places. They could have been able to "pilfer" a beta version of this latest Medusa malware variant prior to it being released in the wild. This would explain the non-public disclosure of their malware samples lest their surveillance activities be exposed. However, there is no way of knowing if the final production version of this latest Medusa variant contained code that could be identified by other security solutions when it was released to the wild. Based on this: https://www.virustotal.com/gui/file/2ad84bfff7d5257fdeb81b4b52b8e0115f26e8e0cdaa014f9e3084f518aa6149 ,TrendMicro is detecting it as SmokeLoader plus most of the behavior based security solutions also are detecting it. This leads me to believe additional detectable code was inserted into the production version. What is interesting is Kaspersky doesn't detect it. Kaspersky detection now has UDS in the name Malware Hashes (UDS) – a set of file hashes detected by Kaspersky Lab cloud technologies (UDS stands for Urgent Detection System) based on a file's metadata and statistics (without having the object itself). It's weird and also I've posted because of your question. Edited July 6, 2023 by Nightowl Link to comment Share on other sites More sharing options...
Recommended Posts