The Medusa banking trojan, also known as TangleBot, has resurfaced after a year of low activity and is now targeting countries including France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey. This resurgence, observed since May, involves more compact variants of the malware, which require fewer permissions and incorporate new features to facilitate transactions directly from compromised devices.
Medusa, a malware-as-a-service (MaaS) operation discovered in 2020, provides functionalities such as keylogging, screen control, and SMS manipulation. Despite sharing a name, this operation is distinct from the ransomware gang and the Mirai-based botnet associated with DDoS attacks.
The recent Medusa campaigns were detected by Cleafy, an online fraud management company, which noted that the new malware variants are lighter and include capabilities like full-screen overlaying and screenshot capturing. These campaigns, first evidenced in July 2023, primarily use SMS phishing (smishing) to distribute the malware through dropper applications.
Cleafy identified 24 campaigns linked to five separate botnets: UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY. The UNKN botnet, in particular, targets European countries such as France, Italy, Spain, and the UK, using dropper apps like a fake Chrome browser, a 5G connectivity app, and a fake streaming app called 4K Sports.
The timing of the use of the 4K Sports streaming app is significant, as it coincides with the UEFA EURO 2024 championship, making it a timely bait for unsuspecting users.
All the campaigns and botnets are managed by Medusa’s central infrastructure, which dynamically updates command and control (C2) server URLs through public social media profiles. This centralized approach helps efficiently orchestrate the malware’s operations across various campaigns and regions.
The latest variant of Medusa has a reduced footprint on compromised devices, requesting only a limited set of permissions while still requiring Android’s Accessibility Services. The malware retains its ability to access the victim’s contact list and send SMS, a critical distribution method.
Cleafy’s analysis indicates that the authors removed 17 commands from the previous version and introduced five new ones, including commands for uninstalling specific applications, requesting ‘Drawing Over’ permissions, setting a black screen overlay, taking screenshots, and updating user secrets.
The ‘setoverlay’ command, in particular, enables deceptive actions such as making the device appear locked or shut off to conceal ongoing malicious activities.
The addition of screenshot-capturing capabilities represents a significant enhancement, allowing threat actors to steal sensitive information from infected devices. The Medusa banking trojan operation is becoming more sophisticated and stealthier, potentially paving the way for larger-scale deployments and increased victim numbers.
While Cleafy has not yet found any dropper apps on Google Play, the growing number of cybercriminals involved in the MaaS operation suggests that distribution strategies will continue to evolve and become more sophisticated, posing an increasing threat to users worldwide.