The Android banking Trojan Zanubis has recently been discovered masquerading as the official app for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria). This sophisticated malware, first identified in August 2022, targets financial and cryptocurrency users in Peru by posing as legitimate Android applications. Zanubis tricks users into granting Accessibility permissions, allowing the attackers to take control of their devices.
A new advisory from Kaspersky highlights the increasing sophistication of Zanubis, which now utilizes the Obfuscapk obfuscator for Android APK files, making it challenging to detect. Once installed on a victim’s device, Zanubis deceives users by loading a genuine SUNAT website using WebView, creating a false sense of legitimacy. The Trojan maintains communication with its controlling server through WebSockets and a library called Socket.IO, ensuring connectivity even in adverse conditions.
What sets Zanubis apart from typical malware is its adaptability. Unlike fixed target apps, Zanubis can be remotely programmed to steal data when specific apps are in use. It also establishes a second connection, potentially granting malicious actors complete control over the compromised device. Additionally, Zanubis can disable a device by posing as an Android update, further increasing the threat it poses.
In addition to Zanubis, Kaspersky researchers have also discovered a cryptor/loader named AsymCrypt, designed to target crypto wallets and distributed through underground forums. This evolved DoubleFinger loader variant acts as a gateway to the TOR network. Buyers can customize its functionality, injecting malicious DLLs hidden within encrypted image blobs.
Another evolving malware lineage identified by the security researchers is the Lumma stealer, previously known as Arkei. Lumma, retaining 46% of its original attributes, disguises itself as a file converter from .docx to .pdf, triggering its payload when files return with a double extension of .pdf.exe. Lumma primarily targets crypto wallets, stealing cached files, configuration files, and logs. Its evolution includes acquiring system process lists, altered communication URLs, and advanced encryption techniques.
Tatyana Shishkova, a lead security researcher at Kaspersky’s GReAT, emphasizes the dynamic nature of these threats and the importance of staying informed. She highlights the role of intelligence reports in keeping abreast of the latest malicious tools and attacker techniques, enabling proactive measures to enhance digital security.
To mitigate financially motivated threats like Zanubis, Kaspersky recommends implementing preventive measures such as offline backups, anti-ransomware tools, and dedicated security solutions. By staying informed and proactive, individuals and organizations can better protect themselves against evolving malware threats.