The Android Banking Trojan Medusa Is Spreading Through Flubot’s Attack Network.

According to new ThreatFabric research, two different Android banking Trojans, FluBot and Medusa, are using the same delivery method as part of a simultaneous attack campaign.

Cabassous’ (aka Flubot) distribution campaigns, which have been “SMiShing” different regions all over the world for nearly a year, have attracted the interest of another threat actor. Similar to Anatsa’s campaigns discovered by ThreatFabric in May 2020, Medusa, a powerful mobile banking Trojan, is now being distributed through the same SMiShing service as Cabassous.

The overlapping use of “app names, package names, and similar icons” in the ongoing side-by-side infections, facilitated by the same smishing (SMS phishing) infrastructure, according to the Dutch mobile security firm.

Medusa, which was discovered targeting Turkish financial institutions in July 2020, has gone through several iterations, the most notable of which is the ability to abuse Android accessibility permissions to syphon funds from banking apps to an account controlled by the attacker.

“Other dangerous features of Medusa include keylogging, accessibility event logging, and audio and video streaming , all of these capabilities give actors nearly complete access to [a] user’s computer.”

To infect devices, the malware-ridden apps used in conjunction with FluBot pose as DHL and Flash Player programmes. Furthermore, recent Medusa attacks have expanded their scope beyond Turkey to include Canada and the United States, with the controllers employing numerous trojan for each campaign.

“This malware can deliver [command-and-control server] provided solutions to alerts of targeted programmes on the user’s device, adding that the functionality “can be leveraged by actors to sign fraudulent transactions on the victim’s behalf.”

This isn’t the first time that Android malware has been discovered spreading using WhatsApp auto-replies. Last year, ESET and Check Point Research discovered rogue apps appearing as Huawei Mobile and Netflix that used the same wormable attack method.

Finally the researchers concluded that ,” A growing number of players are copying Cabassous’ distribution strategies, adopting masquerade techniques, and using the same distribution service,” the researchers said. “At the same time, Cabassous continues to develop, adding new features and taking another step toward becoming a full-fledged application.”

Indicator Of Compromise

Medusa Samples

App namePackage nameSHA-256
Video Playercom.xwlbouply.dbhxzcsgwfe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc
Flash Playercom.thestore.main75f1bebe19feba3914a7bbf95a8ce742cb709658c2105cf2ebe8cf7ef0c43f23
Amazon Lockercom.autonavi.minimapb259fa47fc27728675a2629b98fbe4bb73c0b2216797a154f58c85f7578b3f4d

Medusa C2


Cabassous (Flubot) Samples

App namePackage nameSHA-256
Flash Playercom.tencent.mobileqq2213a4d0a8d3752ce6edde18c2562478dc73c2c618842ca7b158282a0e525972
Amazon Lockercom.autonavi.minimapb2dafc4faea81f4addf1ac3a295627e9f7e1d36efa2a8b82a813d853cfcf87c4

Cabassous C2


–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s