According to new ThreatFabric research, two different Android banking Trojans, FluBot and Medusa, are using the same delivery method as part of a simultaneous attack campaign.

Cabassous’ (aka Flubot) distribution campaigns, which have been “SMiShing” different regions all over the world for nearly a year, have attracted the interest of another threat actor. Similar to Anatsa’s campaigns discovered by ThreatFabric in May 2020, Medusa, a powerful mobile banking Trojan, is now being distributed through the same SMiShing service as Cabassous.

The overlapping use of “app names, package names, and similar icons” in the ongoing side-by-side infections, facilitated by the same smishing (SMS phishing) infrastructure, according to the Dutch mobile security firm.

Medusa, which was discovered targeting Turkish financial institutions in July 2020, has gone through several iterations, the most notable of which is the ability to abuse Android accessibility permissions to syphon funds from banking apps to an account controlled by the attacker.

“Other dangerous features of Medusa include keylogging, accessibility event logging, and audio and video streaming , all of these capabilities give actors nearly complete access to [a] user’s computer.”

To infect devices, the malware-ridden apps used in conjunction with FluBot pose as DHL and Flash Player programmes. Furthermore, recent Medusa attacks have expanded their scope beyond Turkey to include Canada and the United States, with the controllers employing numerous trojan for each campaign.

Indicator Of Compromise

Medusa Samples

App namePackage nameSHA-256
Video Playercom.xwlbouply.dbhxzcsgwfe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc
DHLcom.iqiyi.i18nd83a06d5a41dd56b6cd3e9c3afef850ab07f176ae8f005759edb242daf7b9f38
Voicemailcom.qq.readere2db34355df77e3c95e291a1374e4ba6a75d0da471ab9f929b9ef3424f824421
Flash Playercom.thestore.main75f1bebe19feba3914a7bbf95a8ce742cb709658c2105cf2ebe8cf7ef0c43f23
Amazon Lockercom.autonavi.minimapb259fa47fc27728675a2629b98fbe4bb73c0b2216797a154f58c85f7578b3f4d

Medusa C2

C2
essesessssssss.top
sock.essesessssssss.top:20027
nmnmnmfsamsfan.xyz
sock.nmnmnmfsamsfan.xyz:20027
unknknknnkknkknnk.xyz
sock.unknknknnkknkknnk.xyz:20027
pembesir.xyz
sock.pembesir.xyz:20027
asfsafsakjfkjsa.xyz
sock.asfsafsakjfkjsa.xyz:20027

Cabassous (Flubot) Samples

App namePackage nameSHA-256
DHLcom.tencent.mobileqqdf98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f
Flash Playercom.tencent.mobileqq2213a4d0a8d3752ce6edde18c2562478dc73c2c618842ca7b158282a0e525972
Amazon Lockercom.autonavi.minimapb2dafc4faea81f4addf1ac3a295627e9f7e1d36efa2a8b82a813d853cfcf87c4
Voicemailcom.qiyi.videoa685fbeedd05341f0da64b774142c48ba68193a2a68fa42b3341038c26057e7c

Cabassous C2

Domain
fpuacswjcgpcxoe[.]ru
ueihtnoujbedjiu[.]ru
umxkexskgtctvws[.]cn

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s