The campaign uses socially engineered SMS phishing (called “smishing”) to target victims, joining the wave of financially motivated attacks, as demonstrated by the Roaming Mantis campaign in Europe. ThreatFabric’s report claims that these malware attack campaigns are evolving to include never-before-seen capabilities and do not show indications of stopping anytime soon. ThreatFabric has narrowed down the Medusa campaign to a Turkish threat actor. As far as FluBot is concerned, four arrests were made in Barcelona, Spain in March 2021. However, the FluBot malware gang continues to thrive around the world.
The FluBot and Medusa Botnet Trojans
Cabbassous, also known as FluBot, is a notorious smishing malware known to be actively distributed in various campaigns for almost a year now. It has been using command-and-control (C2) attack servers to siphon user data (like phone contacts) and hijack devices. In addition, ThreatFabric has now tracked a new banking malware, stretching its tentacles known as Medusa “now being distributed through the same SMiShing service as Cabassous.” Medusa is building on FluBot’s already successful trail of global cybercrime. The smishing campaigns have been disguised as Flash Player and DHL to lure victims, among others. Both FluBot and newcomer Medusa are formidable multi-purpose, multi-stage botnet trojans. Evidence that the two are working in tandem is that Medusa uses “exactly the same app names, package names, and icons” as FluBot. Both variants also boast several sophisticated features like notification interception, keylogging, RAT functionalities, and audio and video hijacking. This dangerous combination essentially allows an attacker full control once an Android banking app has been compromised.
FluBot and Medusa are Evolving
FluBot and Medusa are currently running rampant while simultaneously evolving. After receiving a major update “that introduced DNS-tunneling through public DNS-over-HTTPS services,” FluBot is now on another level in the latest version, 5.4. This is an update that adds “a novel capability never seen before in mobile banking malware.” The capability abuses the “Android Nougat Direct Reply” Android OS feature, allowing attackers to manipulate notifications on a victim’s device. As for Medusa, its trump card is that it is armed with a “semi-ats” or Automated Transfer System capability powered with an “accessibility scripting engine” that leverages Android Accessibility Service to allow attackers to take control of apps and perform actions on a victim’s device. As a result, a victim’s device can both be monitored and controlled by an external attacker. As device notifications can now be compromised on a victim’s device, a fraudulent notification can also endanger a user’s multi-factor authorization processes. “The evolution of malware families shows that 2FA techniques might be not sufficient to ensure origin of transaction,” ThreatFabric’s report said. “It requires deeper TI in combination with a solution that is able to detect malicious behavior on customers’ devices.”
Malware Distribution and Targeted Apps
ThreatFabric confirmed that 1,784 devices were successfully infected with Medusa in just 24 days, most recently across the U.S., Canada, and Turkey. 27 U.S. bank apps, 17 Spanish bank apps, and 15 Turkish bank apps were confirmed as targetted by the campaigns. The targets for both FluBot and Medusa differ slightly. A few of the more notable targetted bank apps are listed below for each malware campaign. The official lists on ThreatFabric’s report include dozens of entries. Medusa’s targets:
Bank of America Mobile Banking Wells Fargo Mobile Amex BBVA Spain Halkbank Mobil HSBC Turkiye
FluBot’s targets:
Bankwest Coinbase Bank of Scotland Mobile Banking Suncorp Bank Kiwibank Mobile Banking Emirates NBD HSCB Australia
For further assistance and the latest threat intelligence on mobile malware, ThreatFabric can be reached here.