According to new ThreatFabric research, two different Android banking Trojans, FluBot and Medusa, are using the same delivery method as part of a simultaneous attack campaign.
Cabassous’ (aka Flubot) distribution campaigns, which have been “SMiShing” different regions all over the world for nearly a year, have attracted the interest of another threat actor. Similar to Anatsa’s campaigns discovered by ThreatFabric in May 2020, Medusa, a powerful mobile banking Trojan, is now being distributed through the same SMiShing service as Cabassous.
The overlapping use of “app names, package names, and similar icons” in the ongoing side-by-side infections, facilitated by the same smishing (SMS phishing) infrastructure, according to the Dutch mobile security firm.
Medusa, which was discovered targeting Turkish financial institutions in July 2020, has gone through several iterations, the most notable of which is the ability to abuse Android accessibility permissions to syphon funds from banking apps to an account controlled by the attacker.
“Other dangerous features of Medusa include keylogging, accessibility event logging, and audio and video streaming , all of these capabilities give actors nearly complete access to [a] user’s computer.”
To infect devices, the malware-ridden apps used in conjunction with FluBot pose as DHL and Flash Player programmes. Furthermore, recent Medusa attacks have expanded their scope beyond Turkey to include Canada and the United States, with the controllers employing numerous trojan for each campaign.
“This malware can deliver [command-and-control server] provided solutions to alerts of targeted programmes on the user’s device, adding that the functionality “can be leveraged by actors to sign fraudulent transactions on the victim’s behalf.”
This isn’t the first time that Android malware has been discovered spreading using WhatsApp auto-replies. Last year, ESET and Check Point Research discovered rogue apps appearing as Huawei Mobile and Netflix that used the same wormable attack method.
Finally the researchers concluded that ,” A growing number of players are copying Cabassous’ distribution strategies, adopting masquerade techniques, and using the same distribution service,” the researchers said. “At the same time, Cabassous continues to develop, adding new features and taking another step toward becoming a full-fledged application.”
Indicator Of Compromise
Medusa Samples
| App name | Package name | SHA-256 |
| Video Player | com.xwlbouply.dbhxzcsgw | fe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc |
| DHL | com.iqiyi.i18n | d83a06d5a41dd56b6cd3e9c3afef850ab07f176ae8f005759edb242daf7b9f38 |
| Voicemail | com.qq.reader | e2db34355df77e3c95e291a1374e4ba6a75d0da471ab9f929b9ef3424f824421 |
| Flash Player | com.thestore.main | 75f1bebe19feba3914a7bbf95a8ce742cb709658c2105cf2ebe8cf7ef0c43f23 |
| Amazon Locker | com.autonavi.minimap | b259fa47fc27728675a2629b98fbe4bb73c0b2216797a154f58c85f7578b3f4d |
Medusa C2
| C2 |
| essesessssssss.top |
| sock.essesessssssss.top:20027 |
| nmnmnmfsamsfan.xyz |
| sock.nmnmnmfsamsfan.xyz:20027 |
| unknknknnkknkknnk.xyz |
| sock.unknknknnkknkknnk.xyz:20027 |
| pembesir.xyz |
| sock.pembesir.xyz:20027 |
| asfsafsakjfkjsa.xyz |
| sock.asfsafsakjfkjsa.xyz:20027 |
Cabassous (Flubot) Samples
| App name | Package name | SHA-256 |
| DHL | com.tencent.mobileqq | df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f |
| Flash Player | com.tencent.mobileqq | 2213a4d0a8d3752ce6edde18c2562478dc73c2c618842ca7b158282a0e525972 |
| Amazon Locker | com.autonavi.minimap | b2dafc4faea81f4addf1ac3a295627e9f7e1d36efa2a8b82a813d853cfcf87c4 |
| Voicemail | com.qiyi.video | a685fbeedd05341f0da64b774142c48ba68193a2a68fa42b3341038c26057e7c |
Cabassous C2
| Domain |
| fpuacswjcgpcxoe[.]ru |
| ueihtnoujbedjiu[.]ru |
| umxkexskgtctvws[.]cn |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 