New versions of financial malware attack Russian users

[CarderPlanet]

Kaspersky Lab experts analyzed new malicious tools.

Kaspersky Lab has warned about the emergence of new versions of financial malware, one of which, the Lumma styler, also attacks Russian users.

• Lumma Steeler: This is an updated version of the Arkei steeler, the last one was first discovered in May 2018. Lumma is distributed through a fake file conversion website .docx to .pdf. Uploaded files are returned with a double extension — .pdf.exe, and when you try to open them, malware is installed on your computer. The styler can steal cached files, configuration files, and logs from cryptocurrency wallets. It can work as a browser plugin and is also compatible with the Binance app. Lumma also has features that were not available in previous versions of the styler-the ability to get lists of system processes, advanced encryption techniques, and the use of dynamic configuration files sent by the command server.
• Zanubis Trojan: A banking Trojan that attacks users from Peru disguised as official apps. It has been known since 2022. Zanubis coaxes permission to access Accessibility Services. At first, it was disguised as financial and cryptocurrency services on Android, and in April 2023, an imitation appeared under the official application of the Peruvian National Administration of Customs and Tax Administration (SUNAT). For code obfuscation, Zanubis uses Obfuscapk — a popular obfuscator for Android app files. The Trojan loads a real SUNAT site using the WebView system component, which is responsible for opening web pages in applications. WebSocket and library are used to communicate with the command server Socket.IO, which ensures that the malware is highly adaptable. The threat of Zanubis is the possibility of full control over the device, including blocking it under the guise of an Android update.
• ASMCrypt Cryptor: Discovered in recently discovered underground forums, this is an advanced version of the DoubleFinger downloader. These types of tools are used to hide the download process itself or other malware. ASMCrypt is a more advanced version of the DoubleFinger downloader, used as a "facade" for a service that runs on the TOR network. Customers can customize infection methods, attack targets, autoload parameters, and various HPE features. Malicious functionality is hidden inside a .png image uploaded to the hosting site.