Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
The Medusa banking Trojan targeting Android is active again after a near-year-long lull. The malware now attacks users from France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.
Cleafy specialists report that the malware activity resumed in May of this year, and now attacks are carried out using more compact versions of Medusa, which require fewer permissions. The banker also has new features: it tries to initiate transactions directly from a compromised device, includes full-screen overlays, and can take screenshots.
The Medusa Banking Trojan, also known as TangleBot, is a MaaS malware (malware-as-a-service) first discovered in 2020. The malware works as a keylogger, and also intercepts screen control and manipulates SMS messages.
According to the researchers, the first evidence of the existence of new Medusa variants dates back to July 2023. Then Cleafy noticed them in campaigns that used SMS phishing to download malware through dropper apps.
In total, the researchers found 24 campaigns using Medusa and linked them to five separate botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) that distributed malicious apps. It is noted that the UNKN botnet is operated by a separate group and is aimed at European countries, including France, Italy, Spain and the United Kingdom.
Various campaigns using Medusa
Among the dropper apps used in the attacks were: a fake Chrome browser, a 5G connection app, and a fake 4K Sports streaming app. Given that the European Football Championship is currently being held, the choice of the 4K Sports app as a bait looks very timely.
According to experts, all the mentioned campaigns and botnets are managed through the Medusa central infrastructure, which dynamically extracts the URLs of management servers from public profiles in social networks.
Getting C&C addresses
It is also noted that the authors of Medusa clearly decided to reduce the impact of malware on hacked devices.: it now requests only a small set of permissions, although it still requires access to Android Accessibility Services.
In addition, the authors of malware removed 17 commands from the previous version and added five new ones:
• destroyo: delete a specific app;
* permdrawover: request Drawing Over permission
• * setoverlay: set a black screen overlay
• * take_scr: take a screenshot;
• update_sec: update the user's secret.
The setoverlay command deserves special attention, as it allows remote attackers to create the appearance of blocking or turning off the device in order to hide malicious actions that occur in the background at this time.
An equally important addition is the ability to take screenshots, as this provides attackers with a new way to steal confidential information from infected devices.
Although Cleafy has not found any Medusa droppers in the Google Play store, it is expected that as the number of cybercriminals using this malware increases, its distribution methods will become more diverse and sophisticated.
Cleafy specialists report that the malware activity resumed in May of this year, and now attacks are carried out using more compact versions of Medusa, which require fewer permissions. The banker also has new features: it tries to initiate transactions directly from a compromised device, includes full-screen overlays, and can take screenshots.
The Medusa Banking Trojan, also known as TangleBot, is a MaaS malware (malware-as-a-service) first discovered in 2020. The malware works as a keylogger, and also intercepts screen control and manipulates SMS messages.
According to the researchers, the first evidence of the existence of new Medusa variants dates back to July 2023. Then Cleafy noticed them in campaigns that used SMS phishing to download malware through dropper apps.
In total, the researchers found 24 campaigns using Medusa and linked them to five separate botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) that distributed malicious apps. It is noted that the UNKN botnet is operated by a separate group and is aimed at European countries, including France, Italy, Spain and the United Kingdom.
Various campaigns using Medusa
Among the dropper apps used in the attacks were: a fake Chrome browser, a 5G connection app, and a fake 4K Sports streaming app. Given that the European Football Championship is currently being held, the choice of the 4K Sports app as a bait looks very timely.
According to experts, all the mentioned campaigns and botnets are managed through the Medusa central infrastructure, which dynamically extracts the URLs of management servers from public profiles in social networks.
Getting C&C addresses
It is also noted that the authors of Medusa clearly decided to reduce the impact of malware on hacked devices.: it now requests only a small set of permissions, although it still requires access to Android Accessibility Services.
In addition, the authors of malware removed 17 commands from the previous version and added five new ones:
• destroyo: delete a specific app;
* permdrawover: request Drawing Over permission
• * setoverlay: set a black screen overlay
• * take_scr: take a screenshot;
• update_sec: update the user's secret.
The setoverlay command deserves special attention, as it allows remote attackers to create the appearance of blocking or turning off the device in order to hide malicious actions that occur in the background at this time.
An equally important addition is the ability to take screenshots, as this provides attackers with a new way to steal confidential information from infected devices.
Although Cleafy has not found any Medusa droppers in the Google Play store, it is expected that as the number of cybercriminals using this malware increases, its distribution methods will become more diverse and sophisticated.
