- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
New Medusa Trojan Variant Emerges with Enhanced Stealth Features
New fraud campaigns have been discovered involving the Medusa (TangleBot) banking Trojan, which had evaded detection for nearly a year.
An analysis published by Cleafy researchers last week revealed that this sophisticated malware family, first identified in 2020, has resurfaced with significant changes.
This malware, known for its remote access Trojan (RAT) capabilities, includes keylogging, screen control and SMS reading/writing, enabling threat actors to execute on-device fraud (ODF), a highly dangerous form of banking fraud.
Recent findings show discrepancies between new Medusa samples and older variants, with later versions utilizing a more lightweight permission set and new features like full-screen overlay displays and remote uninstallation of applications.
Medusa initially targeted Turkish financial institutions but expanded to North America and Europe by 2022. Its RAT capabilities allow threat actors complete control of compromised devices using VNC for real-time screen sharing and accessibility services. This facilitates dangerous attacks like account takeover (ATO) and automatic transfer system (ATS) fraud.
Cleafy has now identified five different botnets operated by affiliates, each targeting different geographical areas and using unique decoys. Targets now include not only Turkey and Spain but also France and Italy. A notable shift in distribution strategy was also observed, with threat actors using “droppers” to distribute malware via fake update procedures.
Read more on banking malware: Mobile Banking Malware Surges 32%
The malware coordinates its functionalities through a web secure socket connection to the attackers’ infrastructure, dynamically fetching the command-and-control (C2) server URL from social media profiles like Telegram and X (formerly Twitter). This dynamic retrieval increases resilience against takedown attempts.
The latest Medusa variant’s strategic shift minimizes required permissions and evades detection, allowing it to operate undetected for longer periods.
“The combination of reduced permissions, geographical diversification, and sophisticated distribution methods underscores Medusa’s evolving nature,” reads the advisory.
“As the TAs [threat actors] refine their tactics, cyber-security experts and anti-fraud analysts must stay vigilant and adapt their defenses to counter these emerging threats.”