Threat Research

Medusa Reborn: A New Compact Variant Discovered | Cleafy Labs

Securonix

Cleafy Threat Intelligence reports a revival and evolution of the Medusa (TangleBot) banking Trojan, detailing new lightweight variants, multiple botnets, and a shift toward droppers and fake updates for distribution. The campaign expands geographically (including Italy and France) while maintaining On-Device Fraud capabilities like keylogging, screen control, and SMS access. #Medusa #4KSports

Keypoints

  • In May 2024, Cleafy observed new Medusa campaigns after ~a year of limited activity.
  • Medusa is a sophisticated RAT with keylogging, screen controls, and SMS read/write capabilities enabling On-Device Fraud (ODF).
  • Recent samples show a lightweight permission set and new features like full-screen overlays and remote uninstall of apps.
  • Five active botnets with distinct decoys, targets, and geographic focus were identified, including Turkey, Spain, France, and Italy.
  • Threat Actors are experimenting with droppers and fake update procedures to improve distribution.

MITRE Techniques

  • [T1056.001] Input Capture – Keylogging – The malware implements a keylogger to capture keystrokes. Quote: ‘continuous Key-Logging and Dynamic Overlay Attacks.’
  • [T1113] Screen Capture – Take Screenshot – The variant adds capabilities around screen control and screenshots; the article notes ‘Take Screenshot’ as part of new commands (take_scr).
  • [T1071.001] Web Protocols – C2 over web channels – The malware coordinates via a Web Secure Socket to the TA infrastructure and fetches C2 URLs dynamically from public social profiles: ‘Web Secure Socket connection to the TA’s infrastructure… C2 server URL is dynamically fetched from public social media profiles like Telegram, Twitter, and ICQ …’
  • [T1566.001] Phishing – Initial Access via social engineering – Campaigns rely on ‘Phishing campaigns to spread the malware’ to onboard new victims and affiliates.
  • [T1021.001] Remote Services – VNC-based remote control – The Threat Actors use VNC for real-time screen sharing and interaction, enabling remote control of compromised devices: ‘exploiting VNC for real-time screen sharing and accessibility services for interaction.’

Indicators of Compromise

  • [URL] C2 domain – cincincintopcin[.]info, a4a4a4a[.]life (C2 URLs used by Medusa variants)
  • [MD5] file hash – b9ee66c96b110622f4608581e77b0e4d, 7031c88ea3a306c4e4d786d3b0625a20
  • [App Name] observed in IoCs – 4K Sport, Purolator

Read more: https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint