Potentially Destructive Medusa Malware Targets Linux Devices

Description

FortiGuard Labs is aware of a report that a new Medusa malware variant that is targeting Linux-based devices. The Medusa malware is reportedly based on the infamous Mirai malware and is not only capable of launching Distributed Denial of Service (DDoS) attacks and exfiltrating information from compromised devices, but also encrypting files and deleting all files in the system drives.

Why is this Significant?

This is significant because Medusa botnet supports ransomware functionality and is capable of encrypting files on compromised Linux devices. It also deletes files on the hard disk 24 hours after file encryption is finished, which bricks the affected devices.

What is Medusa Malware?

Medusa is a Mirai variant that connects to Command-and-Control (C2) servers, and perform various activities upon receiving commands from C2s. Capabilities include - launching DDoS attacks and exfiltrating information from compromised devices. It can also encrypt files on compromised devices and delete all files in the system drives 24 hours after file encryption is completed, which would make the affected devices unusable.

While infection chain of Medusa botnet has not been identified, exploiting vulnerabilities is the likely infection vector since Medusa ransomware is reportedly based on the infamous Mirai malware. Bruteforcing is another potential attack vector as Linux devices often have weak username passwords combination by default and users tend not to change default passwords.

What is the Status of Protection?

FortiGuard Labs has the following AV signatures in place for this attack:

• Linux/Redis.TSU!tr
• Python/Stealer.DEDC!tr.ransom
• BAT/Agent.P!tr.dldr

FortiGuard Labs has the following IPS signature in place to block download of Medusa malware:

• Embedded.Linux.Malicious.Script

Appendix

New Medusa Botnet Emerging Via Mirai Botnet Targeting Linux Users (Cyble)