CTI Roundup: Medusa ransomware and a joint advisory for Androxgh0st malware

In this week’s roundup, CTI looks at the recent increase in Medusa ransomware activities and the group’s latest tactics. Next, CTI explains how infostealers are increasingly targeting macOS. Finally, CTI wraps things up with an overview of a joint cybersecurity advisory from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that was released to disseminate known IOCs and TTPs associated with threat actors deploying the Androxgh0st malware.

1. Medusa ransomware pivots to extortion

Researchers at Palo Alto Networks have discovered an increase in Medusa ransomware activities along with a shift in tactics from the group.

Medusa ransomware is pivoting towards extortion with the help of its Medusa blog site, which the group uses to leak stolen data. The operation’s multi-extortion strategy gives victims several options to pick from like a time extension, data deletion, or download of all the stolen data, each of which comes with a different price tag.

A closer look at Medusa ransomware

The Medusa RaaS platform emerged in late 2022 but did not gain much traction until early 2023. The ransomware targets Windows devices and tends to exploit vulnerable services and hijack legitimate accounts.

The ransomware leverages living-off-the-land techniques by using software for malicious purposes to blend into regular traffic. Medusa ransomware released its Medusa Blog in 2023 which is used by the group to leak stolen data.

Victims of Medusa ransomware have multiple options when visiting the Medusa blog:

• Victims can pay a standard fee of $10,000 for a one-day time extension to prevent the data from being published on the blog.
• They can also request the data to be deleted and request to download and view the stolen data. These options come with a hefty fee.

A recent post to the blog was a video showing files of a compromised organization. The video had a caption of “Medusa Media Team” which researchers believe to be a branch of the operation that handles the public brand.

In addition to being a data leak site and a place to host videos of stolen data, the blog also includes links to Telegram and X. The Telegram link is supposed to be “information support”. In contrast, the X link is just a search result page for “Medusa ransomware.”

Medusa victimology

Medusa ransomware targets a range of sectors and does not appear to be highly targeted when it comes to sectors. The top targeted sector, which was technology, accounted for less than 10 of the group’s 74 attacks.

The group is more targeted when it comes to the geographic location of their attacks. Medusa has targeted organizations across multiple countries, but the U.S. was the top target.

Ransomware binary

Palo Alto also discovered a common theme in Medusa’s binary which was the use and inclusion of the term “gaze” in the debug path in PEStudio.

This theme led them to refer to the ransomware binary as Gaze. The ransomware can run with 11 possible arguments and has received updates since its first emergence in 2023. The ransomware uses RSA asymmetric encryption and appends .medusa to encrypted files. It will avoid encrypting files with the .dll, .exe, .lnk, and .medusa extensions. After dropping the ransom note, it will delete itself from the system to hinder recovery and analysis.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The Medusa ransomware operation is somewhat opportunistic, targeting organizations across a wide range of sectors. This is typical of many ransomware operations.

What’s apparent is that ransomware operations are starting to function more and more like true organizations, as evidenced by the additions of the Medusa Blog and Media Team. Outside of the business-like setup, Medusa has some sophisticated exploitation strategies and techniques. As such, it’s quickly becoming a more significant threat in the ransomware landscape.

2. Infostealers evade macOS anti-malware

SentinelOne recently uncovered three active macOS infostealers that are capable of evading macOS’s built-in anti-malware system, XProtect.

KeySteal

• KeySteal malware was first reported in 2021 and has been evolving ever since. In February 2023, Apple added a signature to XProtect that would detect KeySteal. However, due to the malware’s evolution, this signature no longer detects current versions.
• KeySteal was originally distributed as a .pkg within an embedded macOS utility called ReSignTool. Threat actors modified the legitimate open-source application’s code to steal keychain information and drop persistence components.
• The most recent KeySteal variants have changed even more. They no longer use the ReSignTool and rather appear in Mach-O binaries as UnixProject or ChatGPT.
• What’s unclear is how these new variants are being distributed. The latest variants are not only undetected by XProtect, but also have low detection rates on VirusTotal. SentinelOne notes that there is one thing in common between the first versions and the latest versions and that is a hardcoded C2. This hardcoded C2 still gives some static detections a chance, though maybe not for long.

Atomic Stealer

• Atomic Stealer has been reported on several times and is still active. This macOS malware has undergone several changes, leaving many different versions of the malware seen in the wild simultaneously.
• SentinelOne has reported seeing variants of the malware that are not currently detected by XProtect, many of which also have low detection rates on VirusTotal.
• The malware prevents victims, analysts, or malware sandboxes from running the terminal at the same time as the stealer. Recent variants use hardcoded AppleScript in clear text that indicates the malware’s stealing logic.
• Threat actors typically distribute this malware via torrents or social gaming platforms.

CherryPie

• CherryPie malware was added to XProtect in v2176.
• This malware, also known as GaryStealer and JaskaGo, is a macOS/Windows stealer that currently has low detection rates on VirusTotal.
• Some versions of the malware use the legitimate open-source Wails project to wrap the malicious code into an app bundle.
• Many of the samples that SentinelOne has observed are signed with an ad hoc signature and have code used to disable Gatekeeper.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Relying solely on static detection is simply not enough to keep up with the evolving threat landscape. Static detection for malware is becoming a game of whack-a-mole and is not always effective.

SentinelOne notes that, aside from native macOS capabilities, ‘proactive threat hunting, enhanced detection rules, and awareness of the evolving tactics can help security teams to stay ahead of threats targeting the macOS platform.’

3. The FBI and CISA issue a joint advisory for Androxgh0st malware

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint cybersecurity advisory to disseminate known IOCs and TTPs associated with threat actors deploying the Androxgh0st malware.

Several ongoing investigations provided details on Androxgh0st malware, including the malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.

What is Androxgh0st?

Androxgh0st is a Python malware that is designed to find and extract .env files containing credentials for applications like AWS, Microsoft Office 365, and others. It supports many functions that enable it to abuse SMTP like scanning and exploiting exposed credentials and APIs and web shell deployment. Fortinet is observing Androxgh0st malware attempts on more than 40,000 Fortinet devices per day.

Targeting the PHPUnit

The malware tends to use scripts, conduct scanning, and search for websites with specific vulnerabilities. More specifically, the threat actors deploying this malware seem to exploit CVE-2017-9841 to remotely run PHP on fallible websites via PHPUnit.

Websites that use this module and have internet-exposed or vendor folders may be at risk from malicious HTTP POST requests directed to a specific URL. This page will run PHP code that is submitted via a POST request, therefore allowing the threat actor to remotely execute code.

The threat actor uses Androxgh0st to download additional malicious files to the system hosting the website. With this access, they can set up fake pages that are accessible via the URI to establish a backdoor to the website.

Laravel framework targeting

The malware establishes a botnet to scan for websites via the Laravel web app framework. It uses Laravel to identify websites and then determines if the domain’s root level .env file is exposed or not and if it contains credentials.

If the file is exposed, the threat actor can use a GET request to the URL and attempt to access the data. The malware can also access the application key for the Laravel application on the website. If they can identify the application key, they can attempt exploitation using the key to encrypt the PHP code, passing the code as a value in the XSRF token.

Apache web server targeting

Threat actors using Androxgh0st are also observed scanning Apache web servers that may be vulnerable to CVE-2021-41773. The actors can identify URLs for files outside the root directory via a path traversal attack. These files, if not protected, could allow for remote code execution. If the threat actor successfully obtains credentials for any services via these methods, they can use the credentials to access sensitive data or carry out subsequent malicious actions.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The recent surge in Androxgh0st activity is certainly alarming, especially considering its targeting of things like AWS and Office.

The malware was first reported in 2022 and seemingly didn’t get much attention until recently. It’s possible that it either wasn’t being leveraged much or was simply going unnoticed.

Either way, the joint advisory details some mitigation recommendations that can help to protect against Androxgh0st. It’s worth taking a look at the report.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.