Researchers identified a resurgence of the Medusa (TangleBot) banking trojan, with new campaigns detected in May 2024, featuring keylogging, screen control, and SMS manipulation that enable on-device fraud.
The new variants are stealthier with fewer permissions and have gained functionalities like full-screen overlays and remote app uninstallation.
The malware spreads through five botnets operated by various affiliates targeting users in multiple countries, including Turkey, Spain, France, and Italy. Additionally, a shift in distribution strategy towards fake update procedures using droppers has been observed.
First identified in 2020, the Medusa banking Trojan has become a major threat. Initially targeting Turkish institutions, it expanded to North America and Europe by 2022.
Medusa grants attackers remote access (RAT) and exploits accessibility services to perform On-Device fraud (ODF), like account takeover (ATO) or automatic transfer systems (ATS), and also uses key-logging and dynamic overlay attacks.
The malware communicates with the attacker’s infrastructure through a web socket connection and fetches a C2 server URL dynamically from social media profiles for obfuscation.
Recent variants like the “4K Sports” app show evolution in Medusa with changes in command structure and a focus on reducing permissions required during installation, which might be due to new affiliates using the MaaS model to create less detectable variants for new regions.
Medusa malware campaigns have been relaunched since July 2023, with new variants targeting Android devices in seven countries. The malware leverages social engineering and dropper apps to gain access to devices and utilizes on-device fraud (ODF) techniques, and the key finding is the shift in Medusa’s tactics with the emergence of two distinct botnet clusters.
Cluster 1 targets users primarily in Turkey and relies on traditional phishing methods, while Cluster 2 focuses on Europe and explores alternative distribution channels beyond phishing, as recent campaigns exhibit a trend of permission refactoring.
By requesting only a minimal set of permissions focused on core functionalities, the malware becomes stealthier and bypasses security checks, significantly increasing its persistence on devices.
Researchers at Cleafy analyzed a new variant of the Medusa banking Trojan, which reduces its number of commands to minimize permissions requested during installation and evade detection, and also introduces new functionalities like drawing a black screen overlay to hide malicious activities.
The malware also spreads through droppers, a method used by other banking Trojans, and targets new regions in Europe, which suggests that the attackers are actively developing Medusa into a more stealthy and geographically-diversified threat.