Endpoint/Device Security, Phishing

Tricky botnet reemerges, new and improved, to target banking apps

An attendee inspects a Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

The thing that is so challenging about financial malware is that, unlike most films, the sequel is often much better.

Researchers at ThreatFabric reported that they have discovered a new banking trojan being sent out by the same cybercriminals that less than two years ago distributed the damaging smishing campaign called Cabassous, also known as FluBot. Researchers made the connection between FluBot and this new emerging threat, dubbed Medusa, because both used exactly the same app names, package names and similar icons.

According to the Amsterdam-based research firm, this new malware variant has several of the same distinctive features as the FluBot trojan that ThreatFabric found in 2020. (In January 2021, the research team also tracked down Anatsa, an even more powerful and pernicious trojan, which was being unleashed in different countries than FluBot.)

With its initial incarnation, in 2020 FluBot was mostly hitting financial firms in Turkey. But researchers now believe Medusa is pivoting its aim on the European and North American financial industry. Another key difference is Medusa’s use of “multiple remote access features,” which makes it “pose a critical threat to banks in the new target vector, including the United States.

“This is a classic Android bot, equipped with credential stealing capabilities such as the use of overlays (fake login screens) for crypto-currency wallet apps and Android banking apps,” according to the ThreatFabric research paper published in May 2021, after they studied both FluBot and Anatsa.

“Besides harvesting credentials, the bot also gathers all contact information (phone numbers) from a victim’s device to spread itself using SMS messages or smishing.” Even at the time, the researchers pointed out that Anatsa “should be considered a stronger threat to Cabassous [FluBot] due to its more extensive and advanced set of features.”

Anatsa combined basic banking credential attacks to be downloaded and stored first and then launched locally, with keyloggers, data exfiltration and “accessibility logging,” which gave the mobile intruders the ability to see virtually everything that the user pulls up on their device, and made it possible for the malware to even manipulate various user interfaces and copy them whenever displayed.

And now, it would seem that FluBot’s creators are trying to leapfrog any competition from other threat actors with Medusa. In less than a month that Medusa has been around, it was distributed to 1,500 devices by appearing as though it was an application for the shipping company DHL.

And that was just one of the distribution campaigns imitating a common app like a big company or flash players; and every campaign is believed to use multiple botnets “so we expect the numbers to be much higher and very close to what we are observing with Cabassous,” according to the researcher’s assessment of both Medusa and Cabassous, which just recently came out.

“At the time of writing, this side-by-side campaign is still ongoing,” according to ThreatFabric’s recently published paper.

“More and more actors follow Cabassous’ success in distribution tactics, appropriating masquerading techniques and using the same distribution service,” researchers concluded. “Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns.”

According to a Feb. 8 press release from San Francisco cybersecurity vendor Arkose Labs, “The intelligent bot revolution is in full play. Bots mimic human behavior with a high degree of accuracy, accounting for 86% of all attacks.

“Automated attack and evasion orchestration includes combinations of sophisticated measures including stolen and synthetic credentials, CAPTCHA solving, human fraud farms, device spoofing, IP spoofing and hijacking and attack scripts,” the Arkose research discovered.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.