Medusa Joins Hands with Flubot

Diving into details

• ThreatFabric found that Medusa is being propagated through the same smishing infrastructure used by Flubot. This has led to an increase in the volume of side-by-side campaigns.
• Flubot is delivered via SMSes that urge users to install a missed package delivery app or a fake version of Flash Player. Upon infection, it gains permissions, exfiltrates credentials and banking information, steals passwords saved in devices, and pilfers other personal information available.
• Medusa followed in the footsteps of Flubot, which allowed the former to infect 1,500 devices in a single botnet. What’s concerning is that Medusa has multiple botnets conducting multiple campaigns.
• While Flubot primarily targets European users, Medusa has recently targeted users in the U.S., Turkey, and Canada.

Medusa’s evolution

• Medusa’s main capability is to abuse the Android Accessibility scripting engine that can execute a series of commands on the infected device. When combined with the media streaming functionality, the attackers can execute powerful RAT functions to interact with the device, as well as monitor it.
• The authors implemented accessibility-based keylogging, which allows the bot to gain access to UI functions on the infected phone. The attackers can also get further insights into victims’ behaviors and snatch credentials without conducting any phishing attack.
• Medusa has, moreover, been upgraded with the event logging feature. A special command from the C2 allows the malware to repeatedly gather information about the active window.

Flubot evolves too

• Joining hands with Medusa has not, even a bit, disrupted the development of Flubot. In its latest version 5.4, Flubot has been bestowed a unique feature - Direct Reply to push notifications.
• This capability allows the trojan to intercept push notifications from targeted apps, and thus, impede 2FA and others.

The bottom line