Advisory |
Malware Intelligence |
Name |
Anubis |
Type |
Android Banking Trojan |
Target System |
Android |
Affected Industry |
BFSI |
Affected Regions |
Turkey, Italy, US, India, France, Germany, Australia, and Poland |
Executive Summary
CloudSEK Threat Intelligence researchers have picked up a dark web chatter regarding an Android banking trojan known as Anubis. Anubis is a MaaS (Malware as a Service) malware type, that anyone can use and distribute. Anubis, which is primarily a banking trojan, recently spread via a COVID-19 map application that lured victims to download the malicious application. The client and server source code for this malware are publicly available, which is used by threat actors to retool the malware, add features or edit the source code, to create a new functionality for Anubis that will serve their malicious intents. The malware is still actively modified by attackers on dark forums for better efficiency.
Impact
Technical Impact
- Encrypt the victim’s data, and delete files
- Establish VNC session between the victim and the attacker
- Forward Calls and SMS to the attacker’s server
Business Impact
- Expose the privacy of the victim
- Steal banking credentials
Mitigation
- Keep pace with the latest security updates
- Use latest version operating systems
- Install application only from authorized app stores
Technical Analysis
Execution
This malware spreads in two different ways:- Drive-by download, where the malicious apk is downloaded directly into the victim’s device through malicious websites.
- Through Google Play store where it appears as legitimate applications, which after installation, installs the malicious payload at the second stage.
Capabilities
- Exfiltrating data after encryption
- Receive C2 commands
- Keylogging
- Encrypting data with the extension .AnubisCrypt, activating a ransomware
- Start a VNC session, in which the attacker can only see the screen of the victim and not control it.
- Intercept calls and SMSs and forward them to the attacker’s server.
- Establish overlay attack if any banking application exists on the victim’s device, to steal credentials. The overlay attack is carried out by loading Webview above the legitimate application, where the malicious applications are launched instead of the genuine application.
- Prevent the victim from uninstalling the malicious applications by listening to accessibility events.
Tactics, Techniques and Procedures
Tactics |
Techniques |
|
Initial Access |
T1475 | Deliver Malicious App via Authorized App Store |
| T1456 | Drive-by Compromise | |
| T1444 | Masquerade as Legitimate Application | |
Execution |
T1402 | Broadcast Receivers |
Persistent |
T1401 | Abuse Device Administrator Access to Prevent Removal |
Defense Evasion |
T1418 | Application Discovery |
| T1447 | Delete Device Data | |
| T1407 | Download New Code at Runtime | |
| T1444 | Masquerade as Legitimate Application | |
| T1508 | Suppress Application Icon | |
Credential Access |
T1412 | Capture SMS Messages |
Discovery |
T1418 | Application Discovery |
| T1420 | File and Directory Discovery | |
Collection |
T1412 | Capture SMS Messages |
Command and Control |
T1521 | Standard Cryptographic Protocol |
| T1481 | Web Service | |
Exfiltration |
T1532 | Data Encrypted |
Impact |
T1471 | Data Encrypted for Impact |
| T1447 | Delete Device Data | |
| T1582 | SMS Control | |
List of Commands Received from the C2 Server
| opendir | stopsocks5 | downloadfile |
| deletefilefolder | recordsound | startscreenVNC |
| stopscreenVNC | startapplication | startsound |
| startforegroundsound | getkeylogger | stopsound |
| startinj | startforward | Send_GO_SMS |
| nymBePsG0 | openbrowser | GetSWSGO |
| telbookgotext | cryptokey | getapps |
| getpermissions | spam | startaccessibility |
| startpermission | replaceurl | ALERT |
| PUSH | killBot | startAutoPush |
| RequestPermissionInj | startrat | RequestPermissionGPS |
| ussd | stopforward | sockshost |
| openactivity | getIP | decryptokey |
Indicators of Compromise
FileHash |
6fdc856afaf7fbbb3428672d4a2a27bc60754125 |
| 6b0527b94110d0455eea962f1e72899c583ca582 | |
| acaabf5c05a3774a552d2eb6a83ec7f547b14397 | |
| ff4b07eb8f81c4c0a2142cdb0ad823be4a8b2d56 | |
| 1ca465dd60e52e5cf3460253566507e2283eb391e8f78c0169ec5f61b15c206d | |
| eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078 | |
| b8441177adf0d2023d1af2f88d76c0c9b10ac7c5c07a4a7111565650428e128e | |
| 7ddda4ee9691dfb9cbe912930047586403e50d7e20ec9e7695fbdd84697d8a3f | |
| d9f4cedc4ba74d5919fcde62b0990f211e7ea3539aac9c13167b1dab51d1803b | |
| 3e56fd55cef6b86c14b7d1a6aa316464f1e48dedf76913ad048061041b026f11 | |
Domain |
e-devlet-mobil-turkiye.tk |
| autismlebanon.org | |
| akbenimle.com | |
URL |
http://www-ecimer-uygulamayukleme-govtr.com |
| http://xn--20gb-tanmla-kullan-l0c.com | |
| http://hediye-internet.site | |
| http://kazanin20gbturkiye.com | |
IPv4 |
160.153.129.239 |
| 160.153.208.233 | |
| 50.63.202.56 | |
| 104.27.166.237 |
