Medusa Malware Joins Flubot’s Android Distribution Network

Flubot, the Android adware that’s been spreading virally considering the fact that previous calendar year, has hitched its infrastructure wagon up to another cellular danger identified as Medusa.

Which is according to ThreatFabric, which uncovered that Medusa is now remaining distributed via the same SMS-phishing infrastructure as Flubot, ensuing in high-volume, facet-by-aspect strategies.

The Flubot malware (aka Cabassous) is shipped to targets as a result of SMS texts that prompt them to install a “missed package deal delivery” app or a fake variation of Flash Participant. If a victim falls for the ruse, the malware is installed, which provides the infected machine to a botnet. Then, it sets about attaining permissions, stealing banking info and qualifications, lifting passwords stored on the system and squirreling absent different items of personalized information.

The malicious implant also sends out more text messages to the infected device’s call record, which enables it to “go viral” – like the flu.

Seemingly, Medusa likes the minimize of Flubot’s jib: “Our risk intelligence demonstrates that Medusa adopted with accurately the exact application names, deal names and very similar icons,” ThreatFabric researchers noted in a Monday assessment. “In considerably less than a month, this distribution solution allowed Medusa to achieve more than 1,500 infected products in one botnet, masquerading as DHL.”

And which is just for one particular botnet. ThreatFabric pointed out that Medusa has numerous botnets carrying out a number of strategies.

In contrast to Flubot, which mostly spreads in Europe, Medusa is more of an equivalent-opportunity danger when it arrives to geography. The latest campaigns have specific buyers from Canada, Turkey and the United States.

“After concentrating on Turkish fiscal companies in its initially time period of activity in 2020, Medusa has now switched its concentration to North The us and Europe, which results in [a] sizeable range of contaminated gadgets,” ThreatFabric researchers famous. “Powered with many distant-access features, Medusa poses a critical menace to fiscal organizations in qualified locations.”

Medusa Bursts on the Scene

Very first found out in July 2020, Medusa (related to the Tanglebot relatives of RATs) is a mobile banking trojan that can attain close to-total regulate above a user’s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To boot, it has obtained numerous updates and improved in its obfuscation techniques as it hops on Flubot’s infrastructure coattails, researchers stated.

For 1, it now has an accessibility-scripting engine that enables actors to carry out a set of actions on the victim’s behalf, with the assist of Android Accessibility Assistance.

“By abusing Accessibility Companies, Medusa is ready to execute instructions on any application that is managing on a victim’s system,” researchers observed. “A command like ‘fillfocus’ will allow the malware to set the textual content value of any particular textual content box to an arbitrary benefit picked out by the attacker, e.g., the beneficiary of a bank transfer.”

Accessibility functions logging is a companion enhance to the over. With a particular command, Medusa can acquire data about lively windows, which includes the situation of fields and specified factors in a user interface, any text inside of those people things, and no matter if the subject is a password industry.

“Having all the facts gathered the actor is capable to get a superior comprehension of the interface of various applications and thus put into practice pertinent situations for accessibility scripting feature,” according to ThreatFabric. “Moreover, it permits actor(s) to have deeper perception on the purposes the target works by using and their regular utilization, although also [being able] to intercept some personal knowledge.”

The next snippet demonstrates the code that collects the info of active window going by means of its nodes:

More, in analyzing Medusa’s again-close panels, scientists observed the malware’s operators marking banking applications with a “BANK” tag, to command/log the enter fields.

“This signifies that any banking application in the globe is at risk to this attack, even those people who do not drop within the latest concentrate on record,” they warned.

The command-and-regulate server (C2) can also command Medusa to carry out a extensive assortment of RAT get the job done, like clicking on a distinct UI factor, sleeping, screenshotting, locking the monitor, furnishing a checklist of recent applications and opening recent notifications.

Flubot Evolves Its Abilities

The researchers also noticed that the addition of Medusa to the blend hasn’t slowed down Flubot’s individual development. They discussed that it now has a “novel capability hardly ever found just before in cell banking malware.”

To wit: In variation 5.4, Medusa picked up the capacity to abuse the “Notification Immediate Reply” function of Android OS, which enables the malware to right reply to push notifications from qualified applications on a victim’s gadget. The person isn’t informed of the activity, so Flubot can consequently intercept them – opening the doorway to thwarting two-factor authentication and far more, researchers mentioned.

“Every minute the malware sends the stats to the C2 about the notifications acquired,” they defined. “As a response, it could get a template string that will be made use of to re-make an object of intercepted notification with current parameters, therefore allowing for [Flubot] authors to arbitrarily change notification content…We believe that that this formerly unseen capability can be applied by actors to sign fraudulent transactions on [a] victim’s behalf, hence producing notifications [a] non-reliable authentication/authorization factor on an contaminated system.”

A different opportunity abuse of this functionality could be to react to social-software interactions with “notifications” containing malicious phishing back links.

“Considering the acceptance of these form of apps and the sturdy concentration of [Flubot] on distribution ways, this could simply be the principal MO powering this new Notification Direct Reply Abuse,” according to ThreatFabric.

Examine out our free upcoming live and on-need on-line city halls – unique, dynamic conversations with cybersecurity gurus and the Threatpost group.