Currently, active campaigns against Android users are carrying FluBot and Medusa banking trojans. Both trojans are using the same distribution mechanism in a simultaneous attack campaign. The discovery comes from security researchers at ThreatFabric.
Medusa and FluBot Trojans Working Together
According to the report, in less than a month, Medusa infected more than 1500 devices in one botnet, using DHL to conceal it. The trojan uses multiple botnets for each of its campaigns, so the infection number is expected to grow quickly. In the meantime, FluBot, also known as Cabassous, continues to evolve and its campaigns haven’t stopped. The two trojans are currently being distributed together.
“After targeting Turkish financial organisations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in significant number of infected devices. Powered with multiple remote access features, Medusa poses a critical threat to financial organisations in targeted regions,” the researchers said.
FluBot, on the other hand, continues its malicious evolution, and is now equipped with a major update that introduced DNS-tunneling via public DNS-over-HTTPS services, as well as the ability to exploit the Notification Direct Reply feature on Android. It can also intercept notifications, making it possible for its operators to manipulate notifications from targeted apps on a compromised device.
What is mostly threatening for Android users in Medusa its semi-ATS (Automated Transfer System) capability. “It is powered with an Accessibility scripting engine that allows actors to perform a set of actions on the victim’s behalf, with the help of Android Accessibility Service. Moreover, Medusa sports other dangerous features like keylogging, Accessibility event logging, and audio and video streaming – all these capabilities provide actors with almost full access to victim’s device,” the researchers added.
Last year, FluBot used SMS messages (shortly known as smishing) about “missed package delivery” to propagate itself across Android users in the U.K. In that particular campaign, FluBot got installed when the victim received the said text message in which they were prompted to install a tracking app related to the missed package delivery. The application was malicious, specifically designed to steal passwords and other sensitive details.