Anubis Android Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Anubis Android banking trojan that lures its victims through malicious applications.

Updated on

February 27, 2023

Published on

January 21, 2021

Read time

Subscribe to the latest industry news, technologies and resources.

Advisory	Malware Intelligence
Name	Anubis
Type	Android Banking Trojan
Target System	Android
Affected Industry	BFSI
Affected Regions	Turkey, Italy, US, India, France, Germany, Australia, and Poland

Executive Summary

CloudSEK Threat Intelligence researchers have picked up a dark web chatter regarding an Android banking trojan known as Anubis. Anubis is a MaaS (Malware as a Service) malware type, that anyone can use and distribute. Anubis, which is primarily a banking trojan, recently spread via a COVID-19 map application that lured victims to download the malicious application. The client and server source code for this malware are publicly available, which is used by threat actors to retool the malware, add features or edit the source code, to create a new functionality for Anubis that will serve their malicious intents. The malware is still actively modified by attackers on dark forums for better efficiency.

Impact

Technical Impact

Encrypt the victim’s data, and delete files
Establish VNC session between the victim and the attacker
Forward Calls and SMS to the attacker’s server

Business Impact

Expose the privacy of the victim
Steal banking credentials

Mitigation

Keep pace with the latest security updates
Use latest version operating systems
Install application only from authorized app stores

Technical Analysis

Execution

This malware spreads in two different ways:

Drive-by download, where the malicious apk is downloaded directly into the victim’s device through malicious websites.
Through Google Play store where it appears as legitimate applications, which after installation, installs the malicious payload at the second stage.

Once the app is installed it asks for accessibility permissions to run in the background and receive calls from the system. It also hides the application’s icon from the launcher, making it difficult for a regular user to remove it.

Capabilities

Exfiltrating data after encryption
Receive C2 commands
Keylogging
Encrypting data with the extension .AnubisCrypt, activating a ransomware
Start a VNC session, in which the attacker can only see the screen of the victim and not control it.
Intercept calls and SMSs and forward them to the attacker’s server.
Establish overlay attack if any banking application exists on the victim’s device, to steal credentials. The overlay attack is carried out by loading Webview above the legitimate application, where the malicious applications are launched instead of the genuine application.
Prevent the victim from uninstalling the malicious applications by listening to accessibility events.

Tactics, Techniques and Procedures

Tactics	Techniques
Initial Access	T1475	Deliver Malicious App via Authorized App Store
	T1456	Drive-by Compromise
	T1444	Masquerade as Legitimate Application
Execution	T1402	Broadcast Receivers
Persistent	T1401	Abuse Device Administrator Access to Prevent Removal
Defense Evasion	T1418	Application Discovery
	T1447	Delete Device Data
	T1407	Download New Code at Runtime
	T1444	Masquerade as Legitimate Application
	T1508	Suppress Application Icon
Credential Access	T1412	Capture SMS Messages
Discovery	T1418	Application Discovery
Discovery	T1420	File and Directory Discovery
Collection	T1412	Capture SMS Messages
Command and Control	T1521	Standard Cryptographic Protocol
Command and Control	T1481	Web Service
Exfiltration	T1532	Data Encrypted
Impact	T1471	Data Encrypted for Impact
	T1447	Delete Device Data
	T1582	SMS Control

List of Commands Received from the C2 Server

opendir	stopsocks5	downloadfile
deletefilefolder	recordsound	startscreenVNC
stopscreenVNC	startapplication	startsound
startforegroundsound	getkeylogger	stopsound
startinj	startforward	Send_GO_SMS
nymBePsG0	openbrowser	GetSWSGO
telbookgotext	cryptokey	getapps
getpermissions	spam	startaccessibility
startpermission	replaceurl	ALERT
PUSH	killBot	startAutoPush
RequestPermissionInj	startrat	RequestPermissionGPS
ussd	stopforward	sockshost
openactivity	getIP	decryptokey

Indicators of Compromise

FileHash	6fdc856afaf7fbbb3428672d4a2a27bc60754125
	6b0527b94110d0455eea962f1e72899c583ca582
	acaabf5c05a3774a552d2eb6a83ec7f547b14397
	ff4b07eb8f81c4c0a2142cdb0ad823be4a8b2d56
	1ca465dd60e52e5cf3460253566507e2283eb391e8f78c0169ec5f61b15c206d
	eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078
	b8441177adf0d2023d1af2f88d76c0c9b10ac7c5c07a4a7111565650428e128e
	7ddda4ee9691dfb9cbe912930047586403e50d7e20ec9e7695fbdd84697d8a3f
	d9f4cedc4ba74d5919fcde62b0990f211e7ea3539aac9c13167b1dab51d1803b
	3e56fd55cef6b86c14b7d1a6aa316464f1e48dedf76913ad048061041b026f11
Domain	e-devlet-mobil-turkiye.tk
	autismlebanon.org
	akbenimle.com
URL	http://www-ecimer-uygulamayukleme-govtr.com
	http://xn--20gb-tanmla-kullan-l0c.com
	http://hediye-internet.site
	http://kazanin20gbturkiye.com
IPv4	160.153.129.239
	160.153.208.233
	50.63.202.56
	104.27.166.237

Table of Contents

This is also a heading
This is a heading

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Advisory

Name

Type

Target System

Affected Industry

Affected Regions

Tactics

Techniques

Initial Access

Execution

Persistent

Defense Evasion

Credential Access

Discovery

Collection

Command and Control

Exfiltration

Impact

FileHash

Domain

URL

IPv4