Medusa banking Trojan spreads through Flubot’s attacks network
Two different Android banking Trojans, namely FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign.
According to new research published by Dutch mobile security firm ThreatFabric, the ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of “app names, package names, and similar icons”.
Medusa which was first found targeting Turkish financial organizations in July 2020, has undergone several iterations, which includes the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker.
The researchers stated that Medusa exhibits other dangerous features like keylogging, accessibility event logging, and audio and video streaming, all of which enables threat actors to have full access to a victim’s device.
The malware-ridden apps used in conjunction with FluBot masquerade as DHL and Flash Player apps to infect the devices. In addition, recent attacks involving Medusa have expanded their focus beyond Turkey to include Canada and the U.S., with the operators maintaining multiple botnets for each of its campaigns.
FluBot (aka Cabassous), has got its own upgrade which is the ability to intercept and potentially manipulate notifications from targeted applications on a victim’s Android device by leveraging the direct reply action, alongside auto-replying to messages from apps like WhatsApp to spread phishing links in a worm-like fashion.
So the malware is able to provide [command-and-control server] supplied responses to notifications of targeted applications on the victim’s device and the functionality can be used by actors to sign fraudulent transactions on victim’s behalf.
The post Medusa banking Trojan spreads through Flubot’s attacks network first appeared on Cybersafe News.
