Summary:
In May 2024, researchers at Cleafy uncovered new campaigns distributing the Medusa banking trojan, which has managed to retain a low profile for the past year. Notably, these campaigns entail the use of new Medusa samples that are more light-weight and require fewer permissions than previous variants of the trojan. In total authors of the malware have removed 17 commands from the previous version of Medusa and incorporated five new ones that provide the capability to display full-screen overlays, remotely uninstall applications, take screenshots, and much more.

The latest Medusa variant is being distributed by five different botnets operated by several affiliates. These botnets which include UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY, differ in the types of decoys used, distributional strategy, and geographical targets. While previously known country targets such as the United States, Turkey, and Spain continue to be targeted, operators of the malware have expanded their targeting to now include countries like France and Italy.

Security Officer Comments:
The shift to more lightweight malware samples highlights a tactic employed by the malware authors to evade detection and stay under the radar for longer periods of time. The incorporation of new features like displaying black screen overlays and taking screenshots allows actors to hide their malicious activities from the victim and introduces a new way to stealthily steal information from targeted devices.

While phishing seems to be one of the main distribution vectors of Medusa malware, researchers have uncovered the use of dropper applications to infect potential victims with these newer variants. Several dropper applications have been observed including a fake Chrome browser, a 5G connectivity app, as well as fake streaming apps such as 4K Sports and Inat TV. Researchers note that these dropper apps haven’t been observed on Google Play yet. However, this doesn’t elude the fact that these actors could employ this channel as a future distribution vector.

Suggested Corrections:
Users should be cautious of incoming emails and SMS text messages containing attachments or links, as this could lead to potential malware infections. Given that the Medusa banking trojan is now being distributed with the help of dropper applications, users should only download applications from reputable and verified sources. Furthermore, having antivirus solutions installed and performing regular system scans can be crucial in identifying and removing such threats.

Link(s):
https://www.bleepingcomputer.com/ne...ants-target-android-users-in-seven-countries/
https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered