Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Anubis. Show all posts

Anubis Trojan Targeted 400 Banks’ Customers

 

A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by fr.orange.serviceapp, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

Anubis Malware that Attacks Windows Users


In a recent cybersecurity incident, Microsoft reports of a new malware called 'Anubis.' Anubis is not related to any banking malware and is famous for attacking windows systems and devices. Recently, the MSI Microsoft Security Intelligence discovered a new window malware. Anubis is capable of stealing windows users' data and has a high threat level. Detailed analysis revealed that the malware triggers the coding of 'Loki' malware responsible for stealing data. The Loki malware came out a few years ago and wreaked hell as infamous ransomware.


According to Microsoft, "the new malware shares a name with an unrelated family of Android banking malware. Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers." On its Twitter account, according to Microsoft's tweet, it found a new malware named Anubis, that was roaming in the wild until now. Currently, Anubi has only a limited target, and its range of attacks is also little. "Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers," says MSI. Besides, the malware only targets windows systems. Hence, non-windows users are safe. Also, Microsoft defender can identify this malware. Therefore users are safe from Anubis. Another good news.

About Anubis 
Microsoft team first identified the malware in June, as of now, Anubis has become highly active. Having the same name Anubis, users shouldn't confuse it with another android trojan that bears the same name. The windows malware steals user information, including financial data, system data, cryptocurrency wallets, login credentials, and personal information, whereas the android trojan is only a banking malware.

The MSI team is yet to confirm how Anubis is attacking its targets. Therefore, every windows user, for now, should be alert while downloading any 3rd party application/softwares, suspicious emails, etc. The users should also use premium software that guarantees safety against malware. If you're not a Windows user, you needn't worry. The company will update its users if it finds more details about the malware.