Following our research on Cyperine 2.0 and Next Man History Stealer, the malware author rebranded their info stealer as Medusa. While it basically has the same featurse as Cyperine, you now need a valid account to access the builder. The example below compares Cyperine on the left and Medusa on the right, which shows a user logged in as Deadzeye.
Figure 01. Builder comparison between Cyperine (Left) and Medusa (Right)
The builder signatures clearly show that both of these variants were made by the same author, who goes by the name rE-BoOt and uses the skype name Gamerion24. This is important, since we will use this information to back up our claim that we have been able to identify the author.
In addition, the firstname.lastname@example.org (the author’s email address) seen in the Medusa builder input field is fairly familiar, since this is the email address of the receiver of stolen information we identified in our previous blog, which makes us believe that the account owner (Deadzeye) is the author.
Since we were able to obtain the author’s credentials from the Cyperine sample through reverse engineering, we then monitored email being sent to that account using the web panel. Luckily, during the testing of Medusa the author infected his own computer, and his information was sent to the account we were monitoring. Below is the information we captured during the testing of Medusa.
Figure 02. Logs captured from the info stealer malware
Taking a look at the “Pc Info” section, we see the machine name is Matthew, which is the same name used by the signers DESKTOP-DIEEPUR\Matthew that we discovered in the two previous info stealers we analyzed. Of course, using only this information, Matthew could be anyone. Fortunately, the info stealer tool features captured screenshots that allowed us to conduct further checks.
Figure 03. Binary file properties
Some of the screenshots are quite interesting, as seen below. One includes the Medusa builder window on the left, with the email@example.com Gmail account opened in the background, which is the same as the one we identified in the previous info stealer, Cyperine. On the right side, Skype is opened and the user is logged in as Gamerion24/rE-BoOt, and it looks like they are giving an online demo.
Figure 04. Screenshot showing indications of Medusa and Cyperine
The second screenshot shows a skype account named Matthew, which we believe is the author’s real account. And the opened tabs in the browser again show the Gmail account “starcaster30,” and an ad on a gaming/hack forum for Medusa.
Figure 05. Screenshot showing a personal Skype account
Some of the screenshots taken pointed us towards a young adult male’s Facebook account, with the now familiar name of Matthew, who apparently lives in Siggiewi, which is a city in Malta.
Figure 06. Facebook page of the author
Going back to the “Pc Info” we captured from the author, we looked up the IP address 18.104.22.168, and its location is coincidentally also located in Malta.
Figure 07. IP address location
We also discovered more evidence that helped lead to identifying the location of the author. The web panel used in Cyperine included an IP Access Management feature that displayed the last logins. Here we found two logins from the same IP address identified previously.
Figure 08. Last login list in the web panel
Since our first article, the author has remained strangely quiet, most likely to hide from the radar of security investigators. Furthermore, the captured credentials we used to access the web panel have been changed, and it is now inaccessible. In spite of that, as we have shown, there is strong evidence that seems to point to the author of these info stealer tools. However, it is difficult to be 100 percent certain. Regardless, the information shared in this post, along with additional, more detailed information, has been provided to Interpol/Europol, and further investigation will follow with the help of local law enforcement.
Special thanks to our team mate Tony Loi for his inputs.
-= Fortiguard Lion Team =-
Detected as: MSIL/Cyperine.A!tr
%Temp%\ProduKey.exe – tool to retrieve stored product keys
%Temp%\ChromePass.exe – tool to retrieve stored username and passwords
%Temp%\ChromePass.txt – log file
%Temp%\ProduKey.txt – log file
%Appdata%\Cyperine – folder to store all stolen data
Detected as: MSIL/HistoryStealer.A!tr