The Medusa malware variant, also known as TangleBot, has reemerged, spreading via SMS and targeting U.S. and Canadian Android mobile operating systems using COVID-19 themes, according to a recent Health Sector Cybersecurity Coordination Center (HC3) alert.
Medusa is similar to FluBot malware proliferating in Europe, which also leverages COVID-19 themes to dupe users into downloading the malware. The install enables the attacker to access device functions.
First discovered in 2019, HC3 warns that what sets Medusa apart is its “wide-ranging access to mobile device functions.” Medusa is able to collect data and install additional malware. Previous Cloudmark research shows the malware compromises the security of the victim’s device and configures the system to exfiltrate “confidential information to systems controlled by the actor.”
Medusa was “given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS, and phone capabilities, call logs, internet access, and camera and microphone.”
The ongoing campaign was first observed at the end of September. It takes advantage of the ongoing pandemic to trick Android users into installing the malware, through related text messages that inform victims about purported new COVID-19 regulations within the specific region.
Another lure appears as an alert about the availability of an appointment for a third vaccine dose. Medusa’s texts include a malicious link that, when clicked, the user is directed to a website “that gives a notification the user’s Adobe Flash Player is out of date and must be updated.” If a user engages with the dialog box, Medusa is downloaded onto the device.
“It is important to mention that while Adobe Flash Player was natively supported on Android devices, it no longer is,” according to the alert from the sector of the Department of Health and Human Services. “Once the Medusa malware infects a device, it has a number of data gathering capabilities it can leverage, including accessing the victim’s internet, call logs, and GPS.”
HC3 is particularly concerned with the attack as it provides the attacker with the victim’s location at any time, while enabling the actor to record the camera, screen, or microphone audio and stream them directly to the actor. The malware can use the device to message other mobile devices “spreading throughout the mobile network.”
Medusa also allows the attack to place overlay screens on the device, which cover legitimate apps and screens. Cloudmark research found this tactic is “extremely problematic.” As seen with the FluBot attacks, the malware can overlay banking or financial apps to directly steal account credentials.
“Harvesting of personal information and credentials in this manner is extremely troublesome for mobile users because there is a growing market on the dark web for detailed personal and account data,” Cloudmark researchers previously wrote.
“Even if the user discovers the TangleBot malware installed on their device and is able to remove it, the attacker may not use the stolen information for some period of time, rendering the victim oblivious of the theft,” they concluded.
Once Medusa, or Tanglebot, is installed, it can be incredibly difficult to detect and remove. As such, entities should educate the workforce on the ongoing threat posed by Medusa, including utilizing safe messaging practices, avoiding interaction with any links in texts, and carefully reading install prompts when downloading apps.