MedusaHTTP

MedusaHTTP is an HTTP-based botnet that is primarily used for DDoS (distributed denial of service) attacks. This infection is believed to have evolved from the IRC-based botnet called MedusaIRC, which, of course, was built and distributed by the same people. According to malware experts, the IRC version has been active since 2015, and the HTTP version has been active since 2017. Unfortunately, anyone can purchase the code of this malware, and that is one of the reasons why it has not been tamed yet. If one attacker was behind these botnets, maybe it could be possible to shut them down permanently. However, because an unknown number of parties could be exploiting these botnets, we really cannot predict when the last attack will occur. The good news is that securing the Windows operating system against this botnet should not be too complicated. What if it has already invaded your operating system? If that is the case, we will try to help you remove MedusaHTTP.

According to our malware experts, the infamous Rig Exploit Kit stands behind MedusaHTTP. This exploit has been used to spread BURAN Ransomware, SystemBC, and many other kinds of infections. To spread the botnet malware, the CVE-2018-4878 Flash vulnerability is believed to have been exploited. Using it, the targeted user’s computer is flooded with malicious ads, and if the victim is tricked into interacting with them, MedusaHTTP can be executed. All known versions of this malware were downloaded into the %APPDATA% directory as .exe files. One version of such a file was named “Asus Gaming.exe,” which, of course, is meant to make it impossible for the victim to spot and delete it immediately. Note that other names could be employed as well, and they should be misleading too. Of course, if you detect a file that you are not familiar with, the best thing you can do is inspect your operating system using a legitimate malware scanner. If the file is malicious and requires removal, you will be informed about it immediately. What should you do next? You must delete the file, of course.

It is known that MedusaIRC was sold for $500 on underground hacker forums. The price of MedusaHTTP is unknown, but it is likely to be similar or higher. Once the attacker deploys this threat, they can use HTTP-based command and control communication to send information. Using this, the infection should send an HTTP response status code or send a command. In the first scenario, the bot waits, and in the second scenario, a certain task – based on the command – is performed. As we mentioned earlier, this malware is most likely to be used in DDoS attacks. A botnet, if you did not know, is a network of Internet-connected devices that can offer remote attackers a great deal of power. A distributed denial of service attack is the kind of attack, during which normal traffic of a targeted server or network is disrupted. That is done by flooding that server or network with traffic from infected systems. Obviously, the more systems MedusaHTTP infects, the greater the power of the botnet is overall. Basically, the goal is to disrupt normal activity, which can be annoying, expensive, and dangerous. For example, if a DDoS attack is targeted at a virtual security service, conditions for malware to attack easier could be set.

So, how do you stop MedusaHTTP? As we discussed already, a Flash vulnerability is exploited to help with the execution of this malware. That means that it should be enough to patch this vulnerability to ensure that the threat does not stand a chance at adding your system to the botnet. Our research team advises updating the Flash Player ASAP, but remember that your entire operating system and all installed applications must be up-to-date. Cyber attackers use every and any security backdoor to attack systems, and while not all backdoors are used to execute botnet malware, there are plenty of other dangerous threats that could attack using them. If a legitimate malware scanner has detected threats already, it is important to remove them quickly. We hope that you can delete MedusaHTTP yourself by eliminating malicious files from %APPDATA%, but we advise employing anti-malware software to have your operating system guarded. Besides ensuring complete removal of existing threats, it can also ensure complete protection, and that is very important.

MedusaHTTP Removal

1. Simultaneously tap Win+E to access Windows Explorer.
2. Enter %APPDATA% into the Quick Access field.
3. Right-click and Delete all malicious .exe files (their names could be misleading).
4. Empty Recycle Bin.
5. Use a reliable malware scanner to scan your operating system and check for leftovers.