CarderPlanet
Professional
As long as cybercriminals strive to make money, they will create more and more malware, and as long as they continue to create malware, Kaspersky Lab researchers, as they assured in their blog, will continue to analyze it, publish reports and provide protection.
That is why we decided to present the most important excerpts from our recent private reports on new versions of the Lumma hijacker and the Zanubis banking Trojan for Android, as well as the ASMCrypt malware discovered on the darknet and linked to the DoubleFinger downloader.
As mentioned earlier in the LC blog, on one of the dark sites, resercers noticed an advertisement for a new version of the cryptor / loader called ASMCrypt.
In fact, after careful analysis with a high degree of confidence, they believe that ASMCrypt is a more advanced version of DoubleFinger. However, it works differently and is a kind of "cover" for a real service running on the TOR network.
After the purchase, the client receives an ASMCrypt binary file, which connects to the malware server service via the TOR network, using hard-coded credentials. If everything is in order, a menu opens with various options (the injection method, the process in which the payload should be embedded, the name of the folder to save at startup, the type of stub).
After selecting all the necessary parameters and clicking the build button, the application creates an encrypted large object hidden inside a png file. When a malicious DLL is run on the victim system, it downloads a png file, decrypts it, loads it into memory, and then runs it.
Lumma is 46% the same as the Arkei stiletto, which is written in C++, first appeared in May 2018 and has been rebranded several times over the past couple of years (Vidar, Oski, Mars).
At the same time, the main functionality remained the same: theft of cached files, configuration files, and logs from crypto wallets.
Lumma is distributed through a fake website that mimics the real site with the extension .docx to .pdf. When uploading a file, it is returned with a double extension pdf.exe. It came to the attention of researchers in August 2022, since then Lumma has undergone a number of changes, described in detail in the report.
Zanubis, a banking Trojan for Android, first appeared around August 2022 and targeted users of financial institutions and cryptocurrency exchanges in Peru.
The main way to infect Zanubis is to position it as a real Android application to gain access permission and full control over the device.
More recent Zanubis specimens were discovered in the wild around April 2023. The malware was disguised as the official Android app of the Peruvian government organization SUNAT.
Zanubis obfuscates itself with Obfuscapk, a popular obfuscator for APK files.
Communication with C2 is done using WebSockets and the library Socket.IO. The latter allows the malware to establish a permanent connection to C2, which provides the possibility of failover.
At the same time, it establishes two connections to the same C2 server, but they perform different types of actions, and the second connection is established only at the request of C2 and provides additional capabilities for C2.
According to the analysis, the target applications are banks and financial institutions in Peru. The list of target applications includes more than 40 package names.
For more detailed technical details and indicators of compromise, see the LC researchers report.
That is why we decided to present the most important excerpts from our recent private reports on new versions of the Lumma hijacker and the Zanubis banking Trojan for Android, as well as the ASMCrypt malware discovered on the darknet and linked to the DoubleFinger downloader.
As mentioned earlier in the LC blog, on one of the dark sites, resercers noticed an advertisement for a new version of the cryptor / loader called ASMCrypt.
In fact, after careful analysis with a high degree of confidence, they believe that ASMCrypt is a more advanced version of DoubleFinger. However, it works differently and is a kind of "cover" for a real service running on the TOR network.
After the purchase, the client receives an ASMCrypt binary file, which connects to the malware server service via the TOR network, using hard-coded credentials. If everything is in order, a menu opens with various options (the injection method, the process in which the payload should be embedded, the name of the folder to save at startup, the type of stub).
After selecting all the necessary parameters and clicking the build button, the application creates an encrypted large object hidden inside a png file. When a malicious DLL is run on the victim system, it downloads a png file, decrypts it, loads it into memory, and then runs it.
Lumma is 46% the same as the Arkei stiletto, which is written in C++, first appeared in May 2018 and has been rebranded several times over the past couple of years (Vidar, Oski, Mars).
At the same time, the main functionality remained the same: theft of cached files, configuration files, and logs from crypto wallets.
Lumma is distributed through a fake website that mimics the real site with the extension .docx to .pdf. When uploading a file, it is returned with a double extension pdf.exe. It came to the attention of researchers in August 2022, since then Lumma has undergone a number of changes, described in detail in the report.
Zanubis, a banking Trojan for Android, first appeared around August 2022 and targeted users of financial institutions and cryptocurrency exchanges in Peru.
The main way to infect Zanubis is to position it as a real Android application to gain access permission and full control over the device.
More recent Zanubis specimens were discovered in the wild around April 2023. The malware was disguised as the official Android app of the Peruvian government organization SUNAT.
Zanubis obfuscates itself with Obfuscapk, a popular obfuscator for APK files.
Communication with C2 is done using WebSockets and the library Socket.IO. The latter allows the malware to establish a permanent connection to C2, which provides the possibility of failover.
At the same time, it establishes two connections to the same C2 server, but they perform different types of actions, and the second connection is established only at the request of C2 and provides additional capabilities for C2.
According to the analysis, the target applications are banks and financial institutions in Peru. The list of target applications includes more than 40 package names.
For more detailed technical details and indicators of compromise, see the LC researchers report.
