MedusaLocker Server Likely Spotted in the WildSelf-Signed Certificate of Red Team Tool Leads to 'Smoking Gun'
An internet scan for pen testing tools on Russian servers unveiled a web of hosts potentially used to launch ransomware attacks by a crime group known for targeting the healthcare industry.
Attack surface risk firm Censys says it came across a Russian server with a collection of red teaming tools used to compromise hosts and maintain control. Further analysis connected the initial server with another Russian server that, as recently as mid-June, contained a malware kit pointing to an online domain used by the MedusaLocker group.
The U.S. federal government issued a warning earlier this month about MedusaLocker ransomware, saying it exploits unsecured remote desktop software and uses phishing campaigns. Cybereason in 2020 found the malware to be prevalent in the healthcare industry. Medical centers are especially likely to pay ransomware given practitioners' reluctance to disrupt patient care (see: Hackers Claim Drug Data Theft as Reports Warn Health Sector).
Censys says it identified the server with the MedusaLocker malware kit through an iterative process that began with an examination of 7.4 million Russian hosts visible to its internet scans. Two hosts stood out since they contained the Metasploit pen tester and Deimos C2, an open-source command-and-control tool. Further analysis revealed that one of the hosts also had web vulnerability tester Acunetix and had used PoshC2, a red team tool used post-exploitation.
The presence of PoshC2 in particular led Censys to the server with signs of connections to MedusaLocker. By default, PoshC2 creates a self-signed certificate for its HTTP server, the values for which are stored in the file
poshc2/server/Config.py. These values are not stored in the
config.yml configuration file and are therefore harder to change.
The certificate used on the server is listed as an indicator of compromise by the PoshC2 developer, and Censys was able to locate it on just eight other servers after a worldwide search. The company later discovered a ninth host. Other servers in that group also had malware kits on them, but only the one server contained what Censys calls "smoking gun" evidence of connection to MedusaLocker.
It's the presence of a malware kit with
restoreassistance_net@decorous[.]cyou appended to each of the files. MedusaLocker uses
decorous[.]cyou domains to email with victims.
It is possible, the company allows, that the server in question is a victim of hackers, but the persistence of a malware kit that has been modified over time is more in line with the behavior of attackers, it adds.
Censys also spotted servers with the malicious PoshC2 certificate in California, Ohio and Taiwan, as well as other servers in Russia. An active user of Malware Bazaar with the handle @r3dbU7z lists one of the other Russia hosts as part of the MedusaLocker group.