The Medusa threat group has been spotted by researchers making a partnership with another threat group called Flubot. Researchers said that the two cybercriminal entities are deployed simultaneously in recent campaigns and share a common infrastructure.
Researchers found the Medusa being propagated through the smishing infrastructure utilised by the Flubot trojan. Both threat groups have paved the way for an increased volume of the combined cyber campaign.
Based on the analysis, Flubot is disseminated through SMS to encourage target users to install a missing packages delivery app or a faulty version of a Flash Player. Upon intrusion, the Flubot trojan obtains access, steals credentials, exfiltrates bank information, steals passwords saved in devices, and steals other personal data available.
After Flubot’s initial intrusion, the Medusa will follow its tracks. This attack enables the former to infect more than a thousand devices in a single botnet intrusion. The more concerning part of the attack is that Medusa has several botnets conducting numerous campaigns simultaneously with Flubot.
While Flubot exclusively attacks European users, Medusa has recently eyed users in Turkey, Canada, and the United States.
The Medusa threat group, along with Flubot, keeps evolving individually despite sharing a cyberattack campaign.
Medusa’s main feature is to exploit the Android Accessibility scripting engine to operate a chain of commands on the compromised device. Moreover, if Medusa is combined with a media streaming feature, the attacker can run a powerful RAT function to interact with the compromised machines and monitor them.
The Flubot, on the other hand, keeps on developing despite its cooperation with Medusa. In its most recent 5.4 version, Flubot has acquired a unique feature called Direct Reply to leverage notifications. This ability enables the Flubot trojan to intercept push notifications from infected apps, therefore, obstructing the arrival of 2FA from the compromised devices.
Medusa just became more powerful after adopting the Flubot trojan’s strategy. Additionally, Flubot consistently evolves, and with its recent novel capability, it can operate on-device fraud.
This evolution of both entities shows that even the 2FA security feature is not enough to keep malicious threat campaigns at bay.
