New Medusa Trojan Variant Emerges with Enhanced Stealth Features

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

New fraud campaigns have been discovered involving the Medusa (TangleBot) banking Trojan, which had evaded detection for nearly a year. 

An analysis published by Cleafy researchers last week revealed that this sophisticated malware family, first identified in 2020, has resurfaced with significant changes. 

This malware, known for its remote access Trojan (RAT) capabilities, includes keylogging, screen control and SMS reading/writing, enabling threat actors to execute on-device fraud (ODF), a highly dangerous form of banking fraud.

Recent findings show discrepancies between new Medusa samples and older variants, with later versions utilizing a more lightweight permission set and new features like full-screen overlay displays and remote uninstallation of applications. 

Medusa initially targeted Turkish financial institutions but expanded to North America and Europe by 2022. Its RAT capabilities allow threat actors complete control of compromised devices using VNC for real-time screen sharing and accessibility services. This facilitates dangerous attacks like account takeover (ATO) and automatic transfer system (ATS) fraud.

Cleafy has now identified five different botnets operated by affiliates, each targeting different geographical areas and using unique decoys. Targets now include not only Turkey and Spain but also France and Italy. A notable shift in distribution strategy was also observed, with threat actors using “droppers” to distribute malware via fake update procedures.

Read more on banking malware: Mobile Banking Malware Surges 32%

The malware coordinates its functionalities through a web secure socket connection to the attackers’ infrastructure, dynamically fetching the command-and-control (C2) server URL from social media profiles like Telegram and X (formerly Twitter). This dynamic retrieval increases resilience against takedown attempts.

The latest Medusa variant’s strategic shift minimizes required permissions and evades detection, allowing it to operate undetected for longer periods. 

“The combination of reduced permissions, geographical diversification, and sophisticated distribution methods underscores Medusa’s evolving nature,” readsthe advisory.

“As the TAs [threat actors] refine their tactics, cyber-security experts and anti-fraud analysts must stay vigilant and adapt their defenses to counter these emerging threats.”

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm
PyPI Revival Hijack Puts Thousands of Applications at Risk
BlackByte Adopts New Tactics, Targets ESXi Hypervisors
Civil Rights Groups Call For Spyware Controls
Irish Wildlife Park Warns Customers to Cancel Credit Cards Following Breach

Leave a Reply

Your email address will not be published. Required fields are marked *