Medusa malware was noticed to target multiple geographic regions. Its goal? Financial fraud and online credentials theft.
More Details on Medusa Malware
A new report from the ThreatFabric researchers came out revealing insights into the latest methods employed by this banking Trojan.
Medusa malware, also known as TangleBot, has been leveraged in North America and Europe campaigns employing distribution services similar to FluBot malware, as researchers confirmed that Medusa is currently using the same service as FluBot in the process of SMS phishing campaign development, being also of the opinion that this method was adopted after seeing the success of the FluBot campaigns.
Medusa has multiple botnets. The samples seen in side-by-side campaigns with Cabassous are identified by the actors themselves with the tags FLUVOICE, FLUFLASH and FLUDHL (possibly as a reference to the corresponding Cabassous/Flubot campaigns). All these botnets use two separate C2 backends to manage bots. The first is the fronting C2, to which bots connect to, while the second is the actual bot operator panel, used by operators to manage their different botnets.
One of the methods leveraged by this malware consists in abusing the Android ‘Accessibility’ scripting engine, fact that lets hacker impersonate users in