Sending mass SMS messages from the device to specified recipients.Implementing a SOCKS5 proxy for covert communication and package delivery.Recording screen activity and sound from the microphone.It also has the ability to terminate malicious functionalities and remove the malware from the device when needed.
This latest distribution of Anubis boasts an extensive set of capabilities that includes exfiltrating sensitive data from the victim’s Android device back to the C2 and performing overlay attacks. In 2016, a user named “maza-in” on the Russian-language hacking forum Exploitin shared open-source code for a novel Android banking trojan with instructions on how to implement its client and server-side components.Ī subset of hundreds of Anubis-related forum posts on the hacking forum ‘HackForumsnet’ A breakdown of this Anubis campaign The evolution of AnubisĪnubis has gone through significant evolution since its inception. The domain name itself, purchased through NameCheap, resolves to two servers - both of which are shared by over two thousand other domains that appear to have no connection to this actor. Any WHOIS records associated with the domain have redacted registrant details. Neither the signing information associated with the APK nor the certificate data is associated with any other app. The malware sample and its associated infrastructure revealed very little about the actor behind this Anubis distribution. Targeted apps are hardcoded by package name into the client source. Thus, its default functionality is to monitor a set number of “target apps” that are of high value for the purposes of acquiring personal data or login credentials for financial gain. Who are the threat actors and how is Anubis used?Īnubis is primarily a banking trojan. We expect more heavily obfuscated distributions will be submitted in the future.We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server.We believe with high certainty that this was an attempt to test Google’s antivirus capabilities.Lookout researchers were able to take a glimpse into this campaign as some of its infrastructure was still a work-in-progress: This latest Anubis distribution, which had a package name of "fr.rviceapp," was submitted to the Google Play store in late July 2021 and subsequently unapproved. The icon for the malicious ‘Orange Service’ app appears identical to the legitimate ‘Orange et Moi France’ icon, with the exception of its resolution.
0 kommentar(er)
