Cybersecurity researchers have identified new phishing campaigns, with use of banking malwareactive since July 2023 and growing its activity until todayThis study was carried out using five different botnets operated by various cybercriminal groups.
The samples analyzed focus on users from Canada, France, Italy, SpainTürkiye, the United Kingdom and the United States.
The new samples of jellyfish They feature a lighter set of permissions and new features, such as the ability to display a full-screen overlay and uninstall apps remotely, explained security researchers Simone Mattia and Federico Valentini, members of the cybersecurity firm Cleafy.
Medusa, also known as TangleBot, is a sophisticated Android malware first discovered in July 2020 and targeting financial institutions in Turkey. Its capabilities include the usual suite of techniques of the moment to conduct fraud using overlay attacks to steal banking credentials. In February 2022, ThreatFabric discovered jellyfish that used delivery mechanisms similar to those of FluBot (also know as Cabassous), disguising the malware as seemingly harmless package delivery and utility applications.
Latest Cleafy analysis reveals not only improvements in malware, but also the use of dropper applications to spread jellyfish under the guise of fake updates. In addition, legitimate services such as Telegram and X They are used as deadlock resolvers to recover the command and control (C2) server used for data exfiltration.
One notable change is the reduction in the number of permits requested, in an apparent effort to reduce the chances of detection.. That said, it still requires the Android Accessibility Services API, allowing you to covertly enable other permissions as needed and avoid raising suspicion among users.
Another modification is the ability to set a black screen overlay on the victim’s device to give the impression that the device is locked or turned off, and use this as cover to carry out malicious activities.
botnet clusters jellyfish They often rely on proven approaches such as phishing to spread malware. However, new waves have been observed spreading it through dropper apps downloaded from untrustworthy sources, underscoring continued efforts by threat actors to evolve their tactics.
“Minimizing the required permissions evades detection and appears more benign, improving its ability to operate undetected for extended periods.”
“Geographically, the malware is expanding into new regions, such as Italy and France, indicating a deliberate effort to diversify its victim pool and expand its attack surface.”The researchers noted.
This development comes as Symantec revealed that fake browser updates are being used Chrome for Android as a decoy to deploy the banking trojan Cerberus. Similar campaigns have also been observed distributing fake Telegram apps through fraudulent websites, distributing other Android malware called SpyMax.
«SpyMax “It is a remote administration tool (RAT) that has the ability to collect personal/private information from the infected device without the user’s consent and send it to a remote threat actor.” “This allows threat actors to control victims’ devices, affecting the confidentiality and integrity of the victim’s privacy and data.”
said K7 Security Labs.
Once installed, the app prompts the user to enable accessibility services, allowing it to collect keystrokes, precise locations, and even the speed at which the device is moved. The information collected is compressed and exported to an encrypted C2 server.
More information:
Medusa Reborn: A New Compact Variant Discovered https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered
ThreatFabric post https://x.com/ThreatFabric/status/1285144962695340032
New Medusa Android Trojan Targets Banking Users Across 7 Countries https://thehackernews.com/2024/06/new-medusa-android-trojan-targets.html
SpyMax – An Android RAT targets Telegram Users https://labs.k7computing.com/index.php/spymax-an-android-rat-targets-telegram-users/
Koodous post https://x.com/koodous_project/status/1806695569932365902
Koodous analysis https://koodous.com/apks/676024a745fac0396a2e9fadf046a5c7f3548bd801e5f3d7030adf5f0596bcd7/general-information
Koodous analysis https://koodous.com/apks/80852bf1df63b18b6845e0d4f703a1a0cb3360669dc31c9c04718e93591be865/general-information
About Hispasec
Hispasec has written 7057 publications.
