New Medusa malware variants are targeting Android users in seven countries.

The Medusa banking malware for Android has reappeared after nearly a year of low-key efforts in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.

The new activity has been tracked since May, and depends on more compact variations that require fewer permissions and come with additional capabilities in an attempt to conduct transactions straight from the infected device.

Medusa banking trojan, also known as TangleBot, is an Android malware-as-a-service (MaaS) operation that was identified in 2020. The spyware enables keylogging, screen control, and SMS manipulation.

Despite sharing the same name, the operation differs from the ransomware gang and the Mirai-based botnet for distributed denial-of-service (DDoS) operations.

The recent efforts were detected by Cleafy's threat intelligence team, which reports that the malware variants are lightweight, require fewer device permissions, and incorporate full-screen overlaying and screenshot taking.

Latest campaigns

According to the researchers, the earliest indication of current Medusa variations dates back to July 2023. Cleafy observed them in campaigns that use SMS phishing ('smishing') to side-load malware via dropper programs.

The researchers detected 24 campaigns using the virus and traced them back to five different botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) that distributed malicious programs.

The UNKN botnet is run by a different group of threat actors who primarily target European countries, including France, Italy, Spain, and the United Kingdom.

Recent dropper programs used in those assaults include a phony Chrome browser, a 5G connectivity software, and a fake streaming app called 4K Sports.

Given that the UEFA EURO 2024 championship is currently underway, the use of the 4K Sports streaming software as bait seemed apt.

Cleafy claims that Medusa's core infrastructure handles all campaigns and botnets, dynamically retrieving URLs for the command and control (C2) server from public social media profiles.

New Medusa version

The creators of the Medusa virus have chosen to decrease its footprint on compromised devices, demanding only a limited set of permissions but still requiring Android's Accessibility Services.

Additionally, the malware retains the capacity to access the victim's contact list and send SMS, a critical propagation mechanism.

• destroyo: uninstall a specific application
• permdrawover: request ‘Drawing Over’ permission
• setoverlay: set a black screen overlay
• take_scr: take a screenshot
• update_sec: update user secret

The'setoverlay' command is interesting because it enables remote attackers to take misleading operations such as making the device appear locked/shut down in order to conceal malicious ODF activity running in the background.

The ability to capture screenshots is also a significant improvement, allowing threat actors a new opportunity to steal critical data from infected devices.

Overall, the Medusa mobile banking trojan campaign looks to be broadening its targeting reach and becoming more stealthy, laying the groundwork for larger-scale deployment and a bigger number of victims.

Although Cleafy has yet to see any of the dropper apps on Google Play, as the number of hackers joining the MaaS grows, distribution techniques will undoubtedly broaden and get more sophisticated.

Source: BleepingComputer