In May 2024, a brand new fraud campaign involving the Medusa (TangleBot) banking trojan was identified. Medusa, infamous for its Remote Access Trojan (RAT) capabilities, had been relatively inactive over the past year.

However, recent developments indicate a critical evolution in its functionality and distribution methods, necessitating a detailed analysis of its current threat landscape and implications.

Resurrection of Medusa: Reborn Variants and Fresh Capabilities

Lightweight Permission Set and New Features

Recent Medusa samples exhibit a streamlined permission set, contrasting sharply with earlier versions.

This evolution includes features such as the ability to display full-screen overlays and remotely uninstall applications.

The lightweight permission set minimizes detectability, making the malware less conspicuous during initial analysis and enhancing its evasion capabilities against automated security systems.

Command Structure Revised

The new variant introduces five new commands while removing seventeen from the previous version. Key new commands include:

• destroyo: Uninstall specific applications.
• permdrawover: Request permission for drawing over other apps.
• setoverlay: Set a black screen overlay, potentially for obfuscating malicious activities.
• take_scr: Capture screenshots.
• update_sec: Update user security settings.

These changes indicate a deliberate effort to streamline operations, focusing on impactful features while reducing the malware's footprint to evade detection.

Distinguished Request Permission, Source: Cleafy

Distribution Strategies and Botnet Analysis

Botnets and Geographical Targeting

Cleafy's investigations identified five distinct botnets, each with unique characteristics in terms of geographical targeting and decoy usage:

• Cluster 1: Targets Turkey, with extensions to Canada and the United States, utilizing traditional phishing methods.

• Cluster 2: Focuses on European users, particularly Italy and France, and employs novel distribution methods like droppers.

The strategic use of droppers to distribute malware via fake update procedures marks a significant shift in Medusa’s operational strategy, enhancing its distribution reach and infection rates.

Overview of Bonet & Clusters, Source: Cleafy

On-Device Fraud (ODF) Capabilities

Medusa's RAT capabilities enable Threat Actors (TAs) to perform On-Device Fraud (ODF), a highly risky fraud scenario. By leveraging VNC for real-time screen sharing and accessibility services, Medusa can automate banking fraud processes such as Account Takeover (ATO) and Automatic Transfer System (ATS). These functionalities underscore the malware's potential for significant financial damage.

Technical Dissection and Historical Context

Initial Discovery and Evolution

First identified in 2020, Medusa initially targeted Turkish financial institutions before expanding globally. Its RAT capabilities have evolved significantly, allowing for continuous keylogging and dynamic overlay attacks. The malware's coordination via Web Secure Socket connections to command and control (C2) servers, dynamically fetched from social media profiles, enhances its obfuscation and resilience against takedown attempts.

Refactoring Permissions

The reduction in requested permissions observed in recent campaigns is a critical development. Early campaigns required extensive permissions, including camera, microphone, and GPS access. Recent variants, however, focus on core functionalities, requiring only:

• Accessibility services
• Broadcast SMS
• Internet access
• Foreground services
• Query and delete packages

This minimalistic approach reduces the malware's detectability and enhances its stealth and persistence.

Recent Campaigns and Indicators of Compromise (IoC)

Campaign Analysis

Recent Medusa campaigns have targeted a broad range of countries, including France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey. The malware's backend infrastructure supports multiple botnets, each differentiated by specific tags and operational goals. This adaptability allows Medusa to efficiently target diverse geographical regions and optimize its operational strategies.

Social Engineering and Distribution Methods

Medusa's distribution relies heavily on social engineering tactics, such as smishing and side-loading through droppers. The use of fake update procedures to distribute malware is particularly concerning, as it exploits users' trust in legitimate update notifications.

Conclusion

The resurgence of Medusa (TangleBot) highlights a significant evolution in its capabilities and distribution strategies. The lightweight permission set and streamlined command structure enhance its evasion capabilities, while the strategic use of droppers marks a notable shift in its distribution methods. As Medusa continues to adapt and evolve, cybersecurity professionals must remain vigilant and proactive in developing countermeasures to mitigate this sophisticated threat.