• In May 2024, the Cleafy Threat Intelligence team tracked new fraud campaigns involving the Medusa (TangleBot) banking trojan, which had been under the radar for almost a year.
• Medusa is a sophisticated malware family with RAT capabilities discovered in 2020. Its features include a keylogger, screen controls, and the ability to read/write SMS. Those capabilities enable Threat Actors (TAs) to perform one of the riskiest fraud scenarios: On-Device Fraud (ODF).
• During these last months, it has been possible to identify some discrepancies between new Medusa samples and the previously known ones, including a lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications.  
• We identified five different botnets operated by several affiliates that show distinct characteristics regarding geographical targeting and decoy used. The results confirm previously known country targets, such as Turkey and Spain, but also new ones, such as France and Italy.  
• We observed an apparent shift in the distribution strategy among the detected campaigns. TAs have started experimenting with “droppers” to distribute malware via fake update procedures.

In late May 2024, Cleafy's Threat Intelligence team observed a surge in installations of a previously unknown app called "4K Sports," whose characteristics didn't perfectly align with known malware families.

Initial investigations suggested a possible connection between the behaviour of the "4K Sports" app and the Medusa family. However, a more in-depth analysis revealed discrepancies between the app and previously documented variants. These differences highlighted an evolution in the Medusa malware, with significant changes in its command structure and overall capabilities.

Analysing the evolution of Medusa samples over the past few months, it is clear that TAs aim to enhance the efficiency of the available features while simultaneously strengthening the botnet by refactoring the permissions required during the installation phase. Because of the MaaS (Malware-as-a-Service) model carried out by Medusa, this phase of "optimisation" could be influenced by various factors. The entry of new affiliates has likely driven developers to create less detectable variants, potentially to test their reliability in previously unexplored geographical regions.

In this article, we will uncover the details of our findings and understand the full scope of Medusa's evolution, the latest detected variant, and their implications.

First identified in 2020, the Turkish-linked Medusa banking Trojan has grown on the world stage to become a significant threat. Initially targeting Turkish financial institutions, Medusa's scope expanded rapidly by 2022, launching major campaigns in North America and Europe.

This RAT (Remote Access Trojan) grants TAs complete control of compromised devices by exploiting VNC for real-time screen sharing and accessibility services for interaction. These capabilities provide TAs the ability to perform On-Device Fraud (ODF). ODF is one of the most dangerous types of banking fraud since wire transfers are initiated from the victim’s device and can be adapted for manual or automatic approaches, such as Account Takeover (ATO) or Automatic Transfer System (ATS).

By exploiting accessibility services, Medusa extends its functionality beyond simple remote control. This allows the Trojan to automate several features commonly associated with modern banking Trojans, including continuous Key-Logging and Dynamic Overlay Attacks.

The following Figure represents a high-level overview of the network communications between an infected device (bot) and the assigned C2 infrastructure, taking the Key-Logging feature as an example:

The malware coordinates its functionalities through a Web Secure Socket connection to the TA's infrastructure. The C2 server URL is dynamically fetched from public social media profiles like Telegram, Twitter, and ICQ for enhanced obfuscation. This dynamic retrieval allows attackers to update the C2 server without modifying the malware, increasing its resilience against takedown attempts. Additionally, the malware employs backup channels on these social media platforms for further redundancy.

‍

Since July 2023, Medusa campaigns have been reborn with a new variant, changing TTPs and country targets. The following table represents all the high-level TTPs retrieved from recent analysis:

A characteristic of Medusa's campaigns has always been a high degree of adaptability: the malware's backend infrastructure is designed to support multiple botnets simultaneously, each differentiated by specific tags and operational goals.

Once the user accepts the Accessibility Service popup during the installation phases, the malware can record every activity done by the user on the compromised device. The attacker can observe them in real time on the C2 panel. In particular, the TAs can observe:

Analysis revealed two distinct Medusa botnet clusters, each with different operational characteristics:

• Cluster 1 (AFETZEDE, ANAKONDA, PEMBE, TONY): these botnets primarily targeted users in Turkey, with some campaigns extending to Canada and the United States. They follow Medusa's traditional modus operandi, relying on methods like phishing campaigns to spread the malware. Interestingly, these variants often shared decoys, C2 servers, and campaign names, suggesting a potential connection to the same TAs.
• Cluster 2 (UNKN): this botnet marks a shift in Medusa’s operational strategy. It mainly targets European users, with specific campaigns focusing on Italy and France. Unlike traditional variants, some instances of the innovative cluster were installed via droppers downloaded from untrusted sources. This suggests the TAs behind this botnet are experimenting with novel distribution methods beyond traditional phishing tactics.

Refer to the appendix for detailed information on botnet names, associated campaigns, dates, and decoy names.

One of the most intriguing aspects of these new campaigns is the strategic use of samples that employ a lightweight permission set, requiring only essential functionality for its core operations. Cleafy's investigations tracked the evolution of the permissions used over time for the most active botnets. As depicted in Figure 7, a negative trend was observed in all cases, especially in the botnets belonging to Cluster 1.

From a Threat Intelligence and malware analysis perspective, examining the refactoring of permissions at the Manifest level is crucial. This analysis can reveal significant insights into the TTPs employed by TAs. By reducing the number of permissions, the malware becomes less conspicuous during initial analysis, potentially bypassing automated security checks and manual inspections. This stealthier approach can significantly lower detection rates, allowing the malware to persist undetected for extended periods.

This refactoring of permissions indicates that TAs continuously evolve their methodologies to stay ahead of detection technologies. By understanding these changes, security researchers and practitioners can better anticipate future threats and develop more effective countermeasures.

In-depth analyses of the early Medusa campaigns indicated the presence of valuable permissions to perform complementary malware functionality, such as:

• Camera and Microphone
• GPS Location
• Phone Call
• Read and Send SMS
• Read Contacts
• Read Phone State
• Write Settings

Instead, summarising all recent campaigns, we noticed that only permissions related to the malware's core functionality were requested. The minimum set of permissions is:

• Accessibility Services
• Broadcast SMS
• Internet
• Foreground Service
• Query and Delete Packages

The following Figure depicts a side-by-side comparison of the Android manifest files from early and recent Medusa campaigns. On the left, the manifest from an early Medusa campaign illustrates the extensive set of permissions requested. On the right, the manifest from a more recent Medusa campaign shows a streamlined permissions set.

‍

Cleafy's analysis revealed a significant change in the set of commands available in this new Medusa variant. Although the exact number of commands may vary, our investigation identified that 17 commands in the previous variant have been removed. This strategic reduction aligns with the earlier observed trend of minimising permissions in the manifest file, a move aimed at decreasing detectability and enhancing the overall stealth and reliability of the malware.

While many commands were removed, this new variant also introduces five new commands, showcasing an evolution in its capabilities:

The removal of certain functionalities, alongside the introduction of these new commands, reflects a deliberate effort by the TAs to streamline Medusa's operations. By focusing on essential and more impactful features, they can ensure the malware remains effective while evading detection. This approach mirrors the earlier strategy of reducing the number of permissions requested during installation, further solidifying the botnet's robustness and adaptability.

In particular, commands like “set overlay” emphasise controlling the victim's device screen, facilitating more sophisticated phishing and social engineering attacks. This command allows the malware to display a black screen overlay on the victim's device. While the exact purpose remains under investigation, this functionality presents a potential threat: by obscuring the underlying screen content, the attacker can use this overlay to mask other malicious activities.

Interestingly, all the original functionalities have remained implemented even in campaigns without associated permissions. For example, commands such as “sendsms” or “getcontacts” are present in all samples (also in the recent ones), but their execution is blocked by Android in the case of missing permissions.

The following table shows the differences between the command sets of the previous version and those of the new version.

In conclusion, the latest Medusa variant demonstrates a strategic shift towards a lightweight approach. Minimising the required permissions evades detection and appears more benign, enhancing its ability to operate undetected for extended periods. Geographically, the malware is expanding into new regions, such as Italy and France, indicating a deliberate effort to diversify its victim pool and broaden its attack surface.

The recent adoption of droppers as a distribution method signals a significant evolution in Medusa's threat capabilities. While we have yet to observe these droppers on the Google Play Store, this does not preclude the possibility of future deployments via this channel. This distribution strategy, shared among other banking malware families like TeaBot and SharkBot, leverages the inherent trust associated with official app stores, resulting in broader distribution and higher infection rates.

The combination of reduced permissions, geographical diversification, and sophisticated distribution methods underscores Medusa's evolving nature. As the TAs refine their tactics, cyber-security experts and anti-fraud analysts must stay vigilant and adapt their defences to counter these emerging threats. The detailed findings presented in this article offer valuable insights into Medusa's current state, providing a foundation for continued monitoring and analysis.

Appendix 1: Active campaigns

Appendix 2: Indicator of Compromise (IoC)

Medusa Variant

Appendix 3: Social media profile

Appendix 4: Dropper