Advisory |
Malware Intelligence |
Name |
Anubis |
Type |
Android Banking Trojan |
Target System |
Android |
Affected Industry |
BFSI |
Affected Regions |
Turkey, Italy, US, India, France, Germany, Australia, and Poland |
CloudSEK Threat Intelligence researchers have picked up a dark web chatter regarding an Android banking trojan known as Anubis. Anubis is a MaaS (Malware as a Service) malware type, that anyone can use and distribute. Anubis, which is primarily a banking trojan, recently spread via a COVID-19 map application that lured victims to download the malicious application.
The client and server source code for this malware are publicly available, which is used by threat actors to retool the malware, add features or edit the source code, to create a new functionality for Anubis that will serve their malicious intents. The malware is still actively modified by attackers on dark forums for better efficiency.
This malware spreads in two different ways:
Once the app is installed it asks for accessibility permissions to run in the background and receive calls from the system. It also hides the application’s icon from the launcher, making it difficult for a regular user to remove it.
Tactics |
Techniques |
|
Initial Access |
T1475 | Deliver Malicious App via Authorized App Store |
T1456 | Drive-by Compromise | |
T1444 | Masquerade as Legitimate Application | |
Execution |
T1402 | Broadcast Receivers |
Persistent |
T1401 | Abuse Device Administrator Access to Prevent Removal |
Defense Evasion |
T1418 | Application Discovery |
T1447 | Delete Device Data | |
T1407 | Download New Code at Runtime | |
T1444 | Masquerade as Legitimate Application | |
T1508 | Suppress Application Icon | |
Credential Access |
T1412 | Capture SMS Messages |
Discovery |
T1418 | Application Discovery |
T1420 | File and Directory Discovery | |
Collection |
T1412 | Capture SMS Messages |
Command and Control |
T1521 | Standard Cryptographic Protocol |
T1481 | Web Service | |
Exfiltration |
T1532 | Data Encrypted |
Impact |
T1471 | Data Encrypted for Impact |
T1447 | Delete Device Data | |
T1582 | SMS Control |
opendir | stopsocks5 | downloadfile |
deletefilefolder | recordsound | startscreenVNC |
stopscreenVNC | startapplication | startsound |
startforegroundsound | getkeylogger | stopsound |
startinj | startforward | Send_GO_SMS |
nymBePsG0 | openbrowser | GetSWSGO |
telbookgotext | cryptokey | getapps |
getpermissions | spam | startaccessibility |
startpermission | replaceurl | ALERT |
PUSH | killBot | startAutoPush |
RequestPermissionInj | startrat | RequestPermissionGPS |
ussd | stopforward | sockshost |
openactivity | getIP | decryptokey |
FileHash |
6fdc856afaf7fbbb3428672d4a2a27bc60754125 |
6b0527b94110d0455eea962f1e72899c583ca582 | |
acaabf5c05a3774a552d2eb6a83ec7f547b14397 | |
ff4b07eb8f81c4c0a2142cdb0ad823be4a8b2d56 | |
1ca465dd60e52e5cf3460253566507e2283eb391e8f78c0169ec5f61b15c206d | |
eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078 | |
b8441177adf0d2023d1af2f88d76c0c9b10ac7c5c07a4a7111565650428e128e | |
7ddda4ee9691dfb9cbe912930047586403e50d7e20ec9e7695fbdd84697d8a3f | |
d9f4cedc4ba74d5919fcde62b0990f211e7ea3539aac9c13167b1dab51d1803b | |
3e56fd55cef6b86c14b7d1a6aa316464f1e48dedf76913ad048061041b026f11 | |
Domain |
e-devlet-mobil-turkiye.tk |
autismlebanon.org | |
akbenimle.com | |
URL |
http://www-ecimer-uygulamayukleme-govtr.com |
http://xn--20gb-tanmla-kullan-l0c.com | |
http://hediye-internet.site | |
http://kazanin20gbturkiye.com | |
IPv4 |
160.153.129.239 |
160.153.208.233 | |
50.63.202.56 | |
104.27.166.237 |