New fraud campaigns have been found involving the Medusa (TangleBot) banking Trojan, which had evaded detection for practically a yr.
An evaluation revealed by Cleafy researchers final week revealed that this refined malware household, first recognized in 2020, has resurfaced with vital adjustments.
This malware, identified for its distant entry Trojan (RAT) capabilities, consists of keylogging, display screen management and SMS studying/writing, enabling menace actors to execute on-device fraud (ODF), a extremely harmful type of banking fraud.
Latest findings present discrepancies between new Medusa samples and older variants, with later variations using a extra light-weight permission set and new options like full-screen overlay shows and distant uninstallation of purposes.
Medusa initially focused Turkish monetary establishments however expanded to North America and Europe by 2022. Its RAT capabilities permit menace actors full management of compromised units utilizing VNC for real-time display screen sharing and accessibility providers. This facilitates harmful assaults like account takeover (ATO) and computerized switch system (ATS) fraud.
Cleafy has now recognized 5 completely different botnets operated by associates, every focusing on completely different geographical areas and utilizing distinctive decoys. Targets now embody not solely Turkey and Spain but in addition France and Italy. A notable shift in distribution technique was additionally noticed, with menace actors utilizing “droppers” to distribute malware through faux replace procedures.
Learn extra on banking malware: Cell Banking Malware Surges 32%
The malware coordinates its functionalities by means of an internet safe socket connection to the attackers’ infrastructure, dynamically fetching the command-and-control (C2) server URL from social media profiles like Telegram and X (previously Twitter). This dynamic retrieval will increase resilience towards takedown makes an attempt.
The most recent Medusa variant’s strategic shift minimizes required permissions and evades detection, permitting it to function undetected for longer intervals.
“The mixture of diminished permissions, geographical diversification, and complex distribution strategies underscores Medusa’s evolving nature,” reads the advisory.
“Because the TAs [threat actors] refine their ways, cyber-security specialists and anti-fraud analysts should keep vigilant and adapt their defenses to counter these rising threats.”
