New Bank Trojan Anubis attack, a collection of ransomware, keyboard recorder, remote Trojan, anubis attack
According to PhishLabs, a network security company, in 5th day of this month, they discovered a new variant of the Bank Trojan BankBot, which is being disseminated by disguising it as a legitimate application of Adobe Flash Player, Avito, and HD Video Player.
PhishLabs indicates that the new variant named "Anubis" has elevated the Mobile Threat to a new level. It integrates functions originally divided into various types of malware, including Ransomware, keylogger, and remote access trojan (RAT) function, SMS Interception Function, call transfer and lock screen function.
Before Anubis, LokiBot was the first Android banking trojan that integrated the ransomware functionality. Now, the emergence of Anubis means that the developers behind BankBot are further improving their code quality.
The configuration of Anubis is stored in a file named "set. xml". There are several entries related to the new ransomware function. For example, 'htmllock' provides HTML code to lock the screen after a malicious application is successfully installed.
This feature is easy to think of as other screen-locked ransomware, but they simply prohibit victims from accessing the mobile phone interface, while Anubis actually implementing the ransomware feature. Its encryption module uses a 256-bit symmetric key to encrypt a file and attaches the extension. AnubisCrypt to the encrypted file.
In addition to the aforementioned ransomware functions, Anubis also provides remote access to the special Trojan (RAT) function. Commands provided by the RAT service include opening directories, downloading files, deleting files and folders, starting and stopping VNC, and stopping and starting recording. This function allows attackers to directly manipulate the file system and monitor the activity of victims.
In addition, Anubis also implements the keyboard record function, including the name of the log file. The ability to record sound and record keys makes Anubis both powerful and aggressive.
Although Anubis integrates many new features, it is still a bank trojan because it is developed based on the BankBot source code. Like most Android banking trojans, Anubis monitors the startup of the target application and then uses the corresponding phishing screen to overwrite valid applications to steal the creden of victims. Finally, it uses its SMS Interception Function to intercept any subsequent security code sent by the bank.
PhishLabs said they found 275 different apps around the world carrying Anubis, including 29 apps related to cryptocurrency. According to the sample command and control (C & C) server domain names, most of them are registered from Japan, Moldova and France, infrastructure is hosted on servers located in Ukraine, Germany, and the Netherlands.