New fraud campaigns have been discovered involving the Medusa (TangleBot) banking Trojan, which had evaded detection for nearly a year.
An analysis published by Cleafy researchers last week revealed that this sophisticated malware family, first identified in 2020, has resurfaced with significant changes.
This malware, known for its remote access Trojan (RAT) capabilities, includes keylogging, screen control and SMS reading/writing, enabling threat actors to execute on-device fraud (ODF), a highly dangerous form of banking fraud.
Recent findings show discrepancies between new Medusa samples and older variants, with later versions utilizing a more lightweight permission set and new features like full-screen overlay displays and remote uninstallation of applications.
Medusa initially targeted Turkish financial institutions but expanded to North America and Europe by 2022. Its RAT capabilities allow threat actors complete control of compromised devices using VNC for real-time screen sharing and accessibility services. This facilitates dangerous attacks like account takeover (ATO) and automatic transfer system (ATS) fraud.
Cleafy has now identified five different botnets operated by affiliates, each targeting different geographical areas and using unique decoys. Targets now include not only Turkey and Spain but also France and Italy. A notable shift in distribution strategy was also observed, with threat actors using “droppers” to distribute malware via fake update procedures.
Read more on banking malware: Mobile Banking Malware Surges 32%
The malware coordinates its functionalities through a web secure socket connection to the attackers’ infrastructure, dynamically fetching the command-and-control (C2) server URL from social media profiles like Telegram and X (formerly Twitter). This dynamic retrieval increases resilience against takedown attempts.
The latest Medusa variant’s strategic shift minimizes required permissions and evades detection, allowing it to operate undetected for longer periods.
“The combination of reduced permissions, geographical diversification, and sophisticated distribution methods underscores Medusa’s evolving nature,” reads the advisory.
“As the TAs [threat actors] refine their tactics, cyber-security experts and anti-fraud analysts must stay vigilant and adapt their defenses to counter these emerging threats.”