ZawyaZawya

PRESSR: Unmasking Zanubis: banking trojan's sneaky evolution and cryptocurrency threats unveiled

The investigation also sheds light on the recently AsymCrypt cryptor/loader and the evolving Lumma stealer, underscoring the increasing need for enhanced digital security.

Zanubis, an Android banking trojan, surfaced in August 2022, targeting financial and crypto users in Peru. Impersonating legitimate Peruvian Android apps, it tricks users into granting Accessibility permissions, surrendering control. In April 2023, Zanubis evolved, posing as the official app for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria), showcasing increased sophistication. Zanubis is obfuscated with the help of Obfuscapk, a popular obfuscator for Android APK files. Once it gets permission to access the device, it tricks a victim by loading a real SUNAT website using WebView, making it seem legitimate.

To communicate with its controlling server, it uses WebSockets and a library called Socket.IO. This allows it to adapt and stay connected even if there are issues. Unlike other malware, Zanubis doesn't have a fixed list of target apps. Instead, it can be programmed remotely to steal data when specific apps are running. This malware even creates a second connection, which could give the bad actors full control over your device. And the worst part is, it can disable your device by pretending to be an Android update.

Another recent discovery made by Kaspersky is AsymCrypt cryptor/loader, which targets crypto wallets and is being sold on underground forums. As the investigation showed, it is an evolved DoubleFinger loader version, acting as a "front" to a TOR network service. Buyers customize injection methods, target processes, startup persistence, and stub types for malicious DLLs, concealing the payload in an encrypted blob within a .png image uploaded to an image hosting site. Execution decrypts the image, activating the payload in memory.

Kaspersky's tracking of cyber threats has also led to the Lumma stealer, an evolving malware lineage. Originally known as Arkei, the rebranded Lumma retains 46% of its former attributes. Disguised as a .docx to .pdf converter, its deceptive distribution triggers the malicious payload when uploaded files return with a double extension .pdf.exe. Over time, the main functionality of all the variants has remained the same: stealing cached files, configuration files and logs from crypto wallets. It can do this by acting as a browser plugin, but it also supports the standalone Binance application. Lumma's evolution includes acquiring system process lists, changing communication URLs, and advancing encryption techniques.

“Cybercriminals are relentless in their pursuit of monetary gain, venturing into the world of cryptocurrencies and even impersonating government institutions to achieve their objectives. The ever-evolving landscape of malware, exemplified by the multifaceted Lumma stealer and the ambitions of Zanubis as a full-fledged banking Trojan, underscores the dynamic nature of these threats. Adapting to this constant transformation in malicious code and cybercriminal tactics poses an ongoing challenge for defense teams. To safeguard against these evolving dangers, organizations must remain vigilant and well-informed. Intelligence reports play a pivotal role in keeping abreast of the latest malicious tools and attacker techniques, empowering us to stay one step ahead in the ongoing battle for digital security,” comments Tatyana Shishkova, a lead security researcher at GReAT.

To read the full report, please visit Securelist.com

In order to prevent financially motivated threats, Kaspersky recommends:

  • Set up offline backups that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.
  • Install ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevent exploits, and is compatible with pre- installed security solutions.
  • To minimize the likelihood that crypto-miners will be launched, use a dedicated security solution such as Kaspersky Endpoint Security for Business with application and web control; behavior analysis helps quickly detect malicious activity, while vulnerability and patch manager protects from crypto-miners that exploit vulnerabilities.

Kaspersky will delve deeper into the future of cybersecurity at their Security Analyst Summit (SAS) 2023, set for October 25th-28th in Phuket, Thailand.

The summit will gather elite anti-malware researchers, global law enforcement, Computer Emergency Response Teams, and senior leaders from sectors including finance, tech, healthcare, academia, and government from around the world.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Send us your press releases to pressrelease.zawya@lseg.com

© Press Release 2023

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.

Login or create a forever free account to read this news