Illustration: Supimol Kumying | Shutterstock
Five distinct botnet clusters, consisting of 24 Medusa Remote Access Trojan (RAT) campaigns, have been discovered. The campaigns target Android users in France, Italy, Canada, Spain, the United Kingdom, the United States, and Turkey.
The banking trojan lay dormant for most of 2023 and has resurfaced in 2024 with a new variant featuring a lightweight permission set, full-screen display, and the ability to uninstall applications remotely.
Medusa RAT was first discovered in 2020 and is known for keylogging, screen control, and read/write SMS. These capabilities enable actors to perform On-Device Fraud (ODF), one of the riskiest types of banking fraud. Initially targeting Turkish financial institutions, Medusa expanded to North America and Europe by 2022.
Researchers have discovered that threat actors have shifted their distribution strategy, experimenting with ‘droppers’ that distribute malware through fake update procedures.
In late May 2024, researchers observed a surge in installations of a previously unknown app called ‘4K Sports.’ Initially, this app’s behaviour hinted at a connection with the Medusa family. However, on further analysis, it was revealed that there were substantial differences from known variants, indicating an evolution in Medusa’s command structure and capabilities.
Medusa RAT’s capabilities allow threat actors to fully control compromised devices through VNC for real-time screen sharing and accessibility services for interaction. This makes Medusa particularly dangerous, enabling fraudulent wire transfers directly from the victim’s device.
Medusa also supports continuous keylogging and dynamic overlay attacks by exploiting accessibility services. Medusa’s new campaigns asked for a minimum set of permissions, including:
- Accessibility Servies
- Broadcast SMS
- Internet
- Foreground Services
- Query and Delete Packages
Researchers identified 17 commands that threat actors removed from the previous variant and introduced five new commands. This streamlining effort aligns with the reduced permission set, aiming to decrease detectability and enhance stealth.
These five commands include:
- destroy: To uninstall specific applications.
- permdrawover: To request drawing over permission.
- setoverlay: To set the screen overlay to black.
- take_scr: To take screenshots
- update_sec: To update the user’s secret
Notably, commands like ‘set overlay’ allow threat actors to display a black screen overlay a black screen overlay on the victim’s device, potentially masking other malicious activities.
Despite these reductions, researchers observed that the core functionalities remain intact. Commands such as ‘sendsms’ and ‘getcontacts’ are still present but are blocked by Android in the absence of the required permissions. This approach ensures the malware’s essential operations continue while reducing the likelihood of detection.
Cybersecurity experts identified two main Medusa botnet clusters with distinct operational characteristics. Cluster 1, comprising AFETZEDE, ANAKONDA, PEMBE, and TONY botnets, primarily targets users in Turkey, with some campaigns extending to Canada and the United States. This cluster employs distribution methods like phishing campaigns.
Cluster 2, comprising the UNKN botnet, focuses on European users, particularly in France and Italy. This cluster utilises novel distribution methods, including droppers downloaded from untrusted sources, indicating a shift from traditional phishing tactics.
The latest campaigns demonstrate a strategic use of samples with a lightweight permission set, requiring only essential functionality. This approach makes the malware less conspicuous during initial analysis and enhances its ability to bypass security checks.
In April 2024, the Mamont banking trojan was found to exploit vulnerabilities in Chrome to infect devices.
In 2023, cybercrooks were found to exploit social media platforms like WhatsApp and Telegram to deploy malicious messages to lure Indian users into installing malicious banking apps. Researchers also discovered Grandoreiro banking malware targeting Spanish citizens.
In the News: Proton VPN expands to 5 more countries with credential-less logins
