Anubis Android Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Anubis Android banking trojan that lures its victims through malicious applications.
Updated on
April 19, 2023
Published on
January 21, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory
Malware Intelligence
Name
Anubis
Type
Android Banking Trojan
Target System
Android
Affected Industry
BFSI
Affected Regions
Turkey, Italy, US, India, France, Germany, Australia, and Poland
 

Executive Summary

CloudSEK Threat Intelligence researchers have picked up a dark web chatter regarding an Android banking trojan known as Anubis. Anubis is a MaaS (Malware as a Service) malware type, that anyone can use and distribute. Anubis, which is primarily a banking trojan, recently spread via a COVID-19 map application that lured victims to download the malicious application. The client and server source code for this malware are publicly available, which is used by threat actors to retool the malware, add features or edit the source code, to create a new functionality for Anubis that will serve their malicious intents. The malware is still actively modified by attackers on dark forums for better efficiency.

Impact

Technical Impact
  • Encrypt the victim’s data, and delete files
  • Establish VNC session between the victim and the attacker
  • Forward Calls and SMS to the attacker’s server
Business Impact
  • Expose the privacy of the victim
  • Steal banking credentials

Mitigation

  • Keep pace with the latest security updates
  • Use latest version operating systems
  • Install application only from authorized app stores
 

Technical Analysis

Execution

This malware spreads in two different ways:
  • Drive-by download, where the malicious apk is downloaded directly into the victim’s device through malicious websites.
  • Through Google Play store where it appears as legitimate applications, which after installation, installs the malicious payload at the second stage.
Once the app is installed it asks for accessibility permissions to run in the background and receive calls from the system. It also hides the application’s icon from the launcher, making it difficult for a regular user to remove it.

Capabilities

  • Exfiltrating data after encryption
  • Receive C2 commands
  • Keylogging
  • Encrypting data with the extension .AnubisCrypt, activating a ransomware
  • Start a VNC session, in which the attacker can only see the screen of the victim and not control it.
  • Intercept calls and SMSs and forward them to the attacker’s server.
  • Establish overlay attack if any banking application exists on the victim’s device, to steal credentials. The overlay attack is carried out by loading Webview above the legitimate application, where the malicious applications are launched instead of the genuine application.
  • Prevent the victim from uninstalling the malicious applications by listening to accessibility events.
 

Tactics, Techniques and Procedures

Tactics
Techniques
Initial Access
T1475 Deliver Malicious App via Authorized App Store
T1456 Drive-by Compromise
T1444 Masquerade as Legitimate Application
Execution
T1402 Broadcast Receivers
Persistent
T1401 Abuse Device Administrator Access to Prevent Removal
Defense Evasion
T1418 Application Discovery
T1447 Delete Device Data
T1407 Download New Code at Runtime
T1444 Masquerade as Legitimate Application
T1508 Suppress Application Icon
Credential Access
T1412 Capture SMS Messages
Discovery
T1418 Application Discovery
T1420 File and Directory Discovery
Collection
T1412 Capture SMS Messages
Command and Control
T1521 Standard Cryptographic Protocol
T1481 Web Service
Exfiltration
T1532 Data Encrypted
Impact
T1471 Data Encrypted for Impact
T1447 Delete Device Data
T1582 SMS Control
 

List of Commands Received from the C2 Server

opendir stopsocks5 downloadfile
deletefilefolder recordsound startscreenVNC
stopscreenVNC startapplication startsound
startforegroundsound getkeylogger stopsound
startinj startforward Send_GO_SMS
nymBePsG0 openbrowser GetSWSGO
telbookgotext cryptokey getapps
getpermissions spam startaccessibility
startpermission replaceurl ALERT
PUSH killBot startAutoPush
RequestPermissionInj startrat RequestPermissionGPS
ussd stopforward sockshost
openactivity getIP decryptokey
 

Indicators of Compromise

FileHash
6fdc856afaf7fbbb3428672d4a2a27bc60754125
6b0527b94110d0455eea962f1e72899c583ca582
acaabf5c05a3774a552d2eb6a83ec7f547b14397
ff4b07eb8f81c4c0a2142cdb0ad823be4a8b2d56
1ca465dd60e52e5cf3460253566507e2283eb391e8f78c0169ec5f61b15c206d
eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078
b8441177adf0d2023d1af2f88d76c0c9b10ac7c5c07a4a7111565650428e128e
7ddda4ee9691dfb9cbe912930047586403e50d7e20ec9e7695fbdd84697d8a3f
d9f4cedc4ba74d5919fcde62b0990f211e7ea3539aac9c13167b1dab51d1803b
3e56fd55cef6b86c14b7d1a6aa316464f1e48dedf76913ad048061041b026f11
Domain
e-devlet-mobil-turkiye.tk
autismlebanon.org
akbenimle.com
URL
http://www-ecimer-uygulamayukleme-govtr.com
http://xn--20gb-tanmla-kullan-l0c.com
http://hediye-internet.site
http://kazanin20gbturkiye.com
IPv4
160.153.129.239
160.153.208.233
50.63.202.56
104.27.166.237

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations