June 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
June 28, 2024
WordPress, Magento, and OpenCart Websites Targeted by New Credit Card Skimmer – Active IOCs
June 28, 2024
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
June 28, 2024
WordPress, Magento, and OpenCart Websites Targeted by New Credit Card Skimmer – Active IOCs
June 28, 2024
Severity
High
Analysis Summary
The Medusa banking trojan, also known as TangleBot, has resurfaced in various campaigns targeting countries including France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey after almost a year of low activity.
Tracked since May 2023, this new wave of attacks utilizes more compact variants of the malware that require fewer permissions and include new features designed to initiate transactions directly from compromised devices. Medusa, a malware-as-a-service (MaaS) operation discovered in 2020, provides keylogging, screen controls, and SMS manipulation capabilities, distinguishing itself from the similarly named ransomware gang and Mirai-based botnet used for DDoS attacks.
Researchers said that recent Medusa variants, first detected in July 2023, are lighter and need fewer permissions while retaining key functionalities such as full-screen overlaying and screenshot capturing. Experts identified 24 campaigns employing these variants attributed to five botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) which deliver malicious apps through SMS phishing (‘smishing’). Notable dropper apps include a fake Chrome browser a 5G connectivity app, and a fake streaming app called 4K Sports which seems strategically chosen to exploit the ongoing UEFA EURO 2024 championship.
Medusa’s central infrastructure dynamically fetches command and control (C2) server URLs from public social media profiles ensuring its adaptability and persistence. The malware's authors have streamlined its permissions, maintaining critical capabilities such as accessing contact lists and sending SMS, crucial for its distribution. They have also added new commands to the malware while removing old ones. Noteworthy new commands include ‘setoverlay’ which sets a black screen overlay to deceive users and mask malicious activities, and ‘take_scr’ which captures screenshots allowing attackers to steal sensitive information.
Medusa’s resurgence with enhanced stealth features and expanded targeting scope indicates a potentially larger and more sophisticated threat. Although researchers have not yet observed these dropper apps on Google Play, the increasing number of cybercriminals adopting the MaaS model suggests that distribution strategies will continue to evolve posing a growing risk to users. The streamlined permissions and new capabilities reflect a concerted effort by the malware's authors to make it more effective and harder to detect, potentially leading to a significant increase in the number of victims.
Impact
- Sensitive Data Theft
- Keylogging
- Financial Loss
- Command Execution
Indicators of Compromise
MD5
- b9ee66c96b110622f4608581e77b0e4d
- db097d837681d059a63725bc4ad93515
- 8468c1cda925021ed911fd9c17915eec
- b6bbf8ed1cf8ec67b25bbcf26de483b4
- 1ed0d97491afd5c2d27f74f18e254cc3
- 469dfea6446a8bb5fada116bd28483d7
- 3b7df8e68eca9a4bcc559d79a2c5a4c7
- 6b05a1e9faf5b77bad1826bacf322b24
- 8d232fd0bfc9e1e4e77b8d719f24b48f
- cb1280f6e63e4908d52b5bee6f65ec63
- a5aeb6ccc48fea88cf6c6bcc69940f8a
- 4bace6e0b61f5169bb0ca7f48c38aea2
- 02c7e63ffa0c5488dd080b64bc297852
SHA-256
- d332880175d47393d322c67eb8539c06441f11309ef19c76b59041f11a95e80c
- c22230c33b8217036d4e4262d02f85c1e16b140f288d0417b223961e28fb2d19
- 72596502ba99e05694c35ebc748711080d06769baf97cdc256280bb0882b1d76
- 96bbbf6b46cd3c0b1ebd2b048e99c8d593aa78fdaafc0d8c6cfe30cbaaccd029
- f530dcfbde39ac82d5d1af933caaf17c4b06ec2e3b2c672bf04fb1d9456ebce1
- c0855b309d0032c4551ec622713624247412befc1b9f60af2317757004fc737f
- 8b868f57e972f57d444ad9feca3936a4266032d7df1eb4e950dfcbb3e296a58a
- e7cdbdedcfc13aa752bfc6ec3f531de332e80dcbeb525bbd5beca028b133631d
- d42dba76fb069cd4fca3ce93f765b4c14c31d1b8945d5823238ee40f6acb9822
- 4e37b5f6848f1f02207a05979a3a792ebda141acd69b494e91910f915e35158b
- 6da981a4ae1ae164d76df4805d37227a0a91c1fcb12f3efc70a5186c9302d379
- d79b4099ce148263221021233183b7c0405380a6f3526d65de043ba574387779
- 031755a2a743c89801898802726f42e3ec1803f54100223dd6d12a0fe6dadab1
SHA-1
- 93b19c166cafca8ea6fbc1beed9ce945765d5674
- 202c53dc0545b2a9353162b1c8604ae3c2acdd10
- 1fa01cd95d735abce0ddf97a72512a72308be992
- 522af66fab349d054842ef2691ea66f4983b9d76
- 7ad1d204d2590b49a2c709382cce991f2721f0d7
- 6c0079493a3aa2ad5bcfbf4284a3ab741cca9a0f
- 7b2b23c3d1bff7682c065b6b5c7a99986eddb4c4
- b5d4dad617e8add373c94bcafe02703c640a9a18
- f2d47b5fa3c3e9c7777ca7ec1c9c46ca43042779
- 9ff38fe9c19687d9044af2eed197b3d81becb625
- 89046457593dbcdbab53abbef882bf8dbcbbfb22
- 4240848b7b5c92eccceed3532b2a07adf04711dd
- c965a5cfe60a41777908289e5b21345eabdb9f49
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly update Android devices with the latest security patches and firmware to mitigate vulnerabilities exploited by Medusa.
- Avoid downloading apps from third-party app stores or unreliable sources; stick to official app stores like Google Play.
- Exercise caution when clicking on links or downloading attachments from unsolicited emails or SMS messages to prevent inadvertent installation of malicious apps.
- Install reputable mobile security software that can detect and block known banking trojans and other malware variants.
- Be vigilant against SMS phishing (smishing) attempts by verifying the legitimacy of messages and avoiding interaction with suspicious links.
- Review app permissions before installation and restrict unnecessary permissions to minimize the potential impact of compromised apps.