Ransomware/Malware Activity
The “Medusa” Android Banking Trojan is Back
A banking trojan known as “Medusa” or “TangleBot” has been recently observed targeting seven (7) countries including the United States. Medusa was first discovered in 2020, and its versions have increased in sophistication over time. The latest version seen in campaigns operating since May 2024 now requests fewer permissions from the victim device, can initiate transactions directly from the device, retains keylogging and SMS manipulation capabilities, and includes commands for screenshot capturing. The malware’s primary purpose is to perform overlay attacks to steal victims’ banking credentials. Overlay attacks occur when malware overlays its own window on top of another program to hijack credentials. Researchers at online fraud management company Cleafy observed 24 recent campaigns that have been attributed to five (5) botnets delivering the Medusa payload mainly via SMS phishing, side-loading the malware through dropper applications. Dropper applications used in recent attacks include a fake Chrome browser, a 5G connectivity application, and a fake streaming application called 4K Sports. The new capabilities of the Medusa malware allow attackers to stealthily steal more than just banking credential information. CTIX analysts urge individuals to stay vigilant in vetting applications prior to download and limiting permissions given to mobile applications. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: New Medusa malware variants target Android users
- The Hacker News: New Medusa Android Trojan Targets Banking Users
Threat Actor Activity
State Sponsored Chinese and North Korean Hackers Target Global Infrastructure with Ransomware
Between 2021 and 2023, threat actors with ties to China and North Korea have been implicated in ransomware and data encryption attacks targeting government and critical infrastructure globally. Notably, the ChamelGang (aka CamoFei) has been linked to attacks on the All India Institute of Medical Sciences and the Presidency of Brazil using CatB ransomware, while other attacks in East Asia and the Indian subcontinent have also been attributed to them. These ransomware attacks serve not only to disrupt and provide financial gain but also to obscure the attackers' presence by destroying evidence. ChamelGang is associated with intelligence gathering, data theft, and denial-of-service (DoS) attacks, utilizing tools such as BeaconLoader, Cobalt Strike, and custom malware. Additionally, another set of attacks involving Jetico BestCrypt and Microsoft BitLocker targeted various industries, with evidence pointing to Chinese APT41 and North Korean Andariel. These activities suggest a blurring of lines between cyber espionage and cybercrime, offering adversaries plausible deniability by attributing actions to independent cybercriminals rather than state-sponsored groups. CTIX analysts will continue to monitor the activity of both financially motivated and state sponsored threat actors.
Vulnerabilities
New Critical MOVEit Transfer Vulnerability Under Active Exploitation
Threat actors are exploiting a critical authentication bypass flaw in Progress Software's MOVEit Transfer shortly after its disclosure. This vulnerability, tracked as CVE-2024-5806 (CVSS score of 9.1/10), affects versions 2023.0.0 to 2024.0.0, allowing attackers to bypass authentication in the SFTP module and gain unauthorized access to sensitive data. Approximately 2,700 vulnerable instances have been detected globally, with many in the U.S., U.K., Germany, Canada, and the Netherlands. WatchTowr Labs provided technical details and proof-of-concept (PoC) exploit code, highlighting the flaw's potential to impersonate users and its connection to a separate issue in the IPWorks SSH library. Progress recommended blocking public inbound RDP access and limiting outbound connections to trusted endpoints as immediate mitigations. This urgency is compounded by previous exploitation of MOVEit Transfer vulnerabilities and recent unauthorized access incidents reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Despite these threats, Progress stated no direct operational impacts have been reported yet emphasizing the need for organizations to promptly apply security updates and mitigations. CTIX analysts recommend all administrators patch their MOVEit Transfer instances and apply mitigation techniques if needed.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
