Russian police arrested “three young IT specialists” suspected of developing and selling the Meduza credential-harvesting malware.

Authorities from the Ministry of Internal Affairs of Russia, together with police investigators, charged the men with developing and supplying the information-stealing malware, and tied it to an attack that breached and stole data from a government institution in the country’s southern Astrakhan region in May, said a ministry spokeswoman in a Russian-language post to Telegram(https://t.me/IrinaVolk_MVD/5661).

Police arrested all of the suspects in or around Moscow and seized computing equipment, communication devices and payment cards. Authorities didn’t specify the suspects’ identities or dates of arrest, or under what terms they may have been bailed. They accused the men of gaining unauthorized access to data of “one of the institutions in the Astrakhan region,” referring to a Russian province bordering the Caspian Sea.

Not to be confused with Medusa ransomware, the Meduza infostealer first appeared in mid-2023 and has been sold across Telegram channels and cybercrime forums.

The stealer allowed users to grab data from popular software applications, including but not limited to support of:

• 106 browsers
• 107 cryptocurrency wallets
• any file extension via FileGrabber (module)
• Telegram IM
• Steam
• Discord
• 27 password managers
• OpenVPN
• Outlook (e-mail client)
• Google Tokens

Its popularity among cybercriminals and ties to the wider cybercrime-as-a-service ecosystem has been well documented. When the U.S. Department of Justice in July sanctioned Aeza Group, a bulletproof hosting service, it said the Meduza, Lumma and RedLine infostealers all used it.

Investigators “established that about two years ago the attackers developed and began distributing software called ‘Meduza’ through hacker forums,” the ministry spokeswoman said. “It is designed to steal account credentials, information about crypto wallets and other computer data.”

Priced from $199 for a one-month subscription to $1,199 for lifetime access, Meduza “positions itself as a superior alternative to established stealers like Redline, Raccoon and Vidar” and “boasts a user-friendly GUI for attackers, allowing easy customization and log management,” said cybercrime intelligence firm Hudson Rock(https://www.infostealers.com/article/russian-authorities-bust-meduza-infostealer-developers-young-hackers-detained-in-major-cybercrime-crackdown/).

Criminal use of infostealers continues to surge, collectively accounting for 5.8 million host and device infections, and nearly 2 billion stolen credentials, harvested just in the first half of this year, said threat intelligence firm Flashpoint.

These stolen credentials are batched into a single infostealer log for each infected system. Such files circulate on illicit marketplaces and Telegram channels and “have transformed such attacks into a pathway for gaining corporate network access and launching subsequent operations,” Ian Gray, Flashpoint’s vice president of intelligence, told Information Security Media Group.

Russian Rules

Whether these arrests are part of a wider crackdown isn’t yet clear. “This isn’t the first time Russian authorities have targeted homegrown cyber threats, but the focus on an infostealer like Meduza, often sold as a subscription service on dark web forums, suggests a broader effort to curb tools that fuel global data breaches,” Hudson Rock said.

But apparent Russian crackdowns on cybercriminals are frequently “less about enforcement and more about optics,” said Alexander Leslie, a senior adviser at Recorded Future, in a LinkedIn post.

Russians accused of any type of domestic cybercrime typically face markedly less severe penalties compared to many other countries. Some exceptions apply, including for anyone accused of facilitating the trafficking in illegal drugs, who risk being sent to one of the country’s harsh penal colonies

source: https://www.databreachtoday.com/russian-police-bust-suspected-meduza-infostealer-developers-a-29901