Cybersecurity researchers at the Cleafy Threat Intelligence team have discovered a new variant of the Medusa banking trojan that has returned to Android devices after evading detection for nearly a year.
It has been spotted in new campaigns to target users in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.
Discovered in 2020, Medusa (also known as TangleBot) is a sophisticated malware family with Remote Access Trojan (RAT) capabilities.
It has now re-emerged with significant changes, including keylogging, screen controls, and the ability to read and write SMS messages.
Those capabilities enable threat actors (TAs) to perform one of the riskiest formsย of banking fraud:ย On-Device Fraudย (ODF).
Cleafy’s Threat Intelligence team discovered the new variant of the Medusa banking trojan while monitoring fraud campaigns in late May 2024.
They observed a surge in installations of a previously unknown app called “4K Sports,” which exhibited characteristics that didn’t perfectly align with known malware families.
Recent findings show some discrepancies between new Medusa samples and the previously known ones, including aย lightweight permission setย andย new features, such as the ability to display full-screen overlay displays and remote application uninstallation.
Initially targeting Turkish financial institutions, Medusa quickly expanded its scope by 2022, launching major campaigns inย North America and Europe. Its RAT capabilities allow threat actors to completely control compromised devices using VNC for real-time screen sharing and accessibility services.
This facilitates dangerous attacks like account takeover (ATO) and automatic transfer system (ATS) fraud.
โThis RAT (Remote Access Trojan) grants TAs complete control of compromised devices by exploiting VNC for real-time screen sharing and accessibility services for interaction. These capabilities provide TAs the ability to perform On-Device Fraud (ODF),โ cybersecurity firm Cleafy researchers saidย in an analysis published last week.
โODF is one of the most dangerous types of banking fraud since wire transfers are initiated from the victimโs device and can be adapted for manual or automatic approaches, such as Account Takeover (ATO) or Automatic Transfer System (ATS).โ
Cleafy has identified five different botnets operated by several affiliates, each demonstrating separate characteristics regarding geographical targeting and decoy used. In addition to Turkey and Spain, the new targets now also include France and Italy.
The researchers also observed an apparent shift in the distribution strategy among the detected campaigns, with threat actors experimenting with โdroppersโ to distribute malware via fake update procedures.
The malware coordinates its functionalities through aย Web Secure Socketย connection to the threat actorโs infrastructure, dynamically fetching the command-and-control (C2) server URL from public social media profiles like Telegram, Twitter, and ICQ for enhanced obfuscation.
This dynamic retrieval increases its resilience against takedown attempts and employs backup channels on these social media platforms for further redundancy.
The latest Medusa variant displays a strategic shift towards a lightweight approach, which minimizes the required permissions and evades detection, enhancing its ability to operate undetected for extended periods.
โThe combination of reduced permissions, geographical diversification, and sophisticated distribution methods underscores Medusaโs evolving nature.
As the TAs refine their tactics, cyber-security experts and anti-fraud analysts must stay vigilant and adapt their defences to counter these emerging threats,โ the researchers concluded.
