The Android banking Trojan Zanubis has recently been identified masquerading as the official app for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria). This malware, first detected in August 2022, targets financial and cryptocurrency users in Peru by posing as legitimate Android apps and tricking users into granting Accessibility permissions, ultimately giving up control of their devices.
What makes Zanubis particularly dangerous is its advanced level of sophistication, as highlighted in a recent advisory from Kaspersky. The Trojan utilizes the Obfuscapk obfuscator for Android APK files, making it difficult to detect. Once it infiltrates a victim’s device, it cleverly loads a genuine SUNAT website using WebView, creating a false sense of legitimacy. The Trojan stays in touch with its controlling server through WebSockets and Socket.IO, ensuring connectivity even in challenging conditions.
One of the most concerning aspects of Zanubis is its adaptability. Unlike traditional malware that targets specific apps, Zanubis can be remotely programmed to steal data when certain apps are being used. It also establishes a secondary connection, potentially giving cybercriminals complete control over a compromised device. Furthermore, it can disable a device by posing as an Android update.
In addition to Zanubis, Kaspersky researchers also uncovered a cryptor/loader known as AsymCrypt, designed to target crypto wallets and distributed through underground forums. This evolved variant of the DoubleFinger loader serves as an entry point to the TOR network, with buyers able to customize its functionality by injecting malicious DLLs hidden within encrypted image blobs.
Another evolving malware strain identified by the researchers is the Lumma stealer, previously known as Arkei. This malware disguises itself as a file converter from .docx to .pdf and triggers its payload when files return with a double extension of .pdf.exe. Lumma primarily targets crypto wallets, stealing cached files, configuration files, and logs, with advanced encryption techniques and altered communication URLs.
Tatyana Shishkova, a lead security researcher at Kaspersky’s GReAT, emphasized the dynamic nature of these threats and the importance of staying informed. She stressed the role of intelligence reports in keeping up with the latest malicious tools and attacker techniques to stay ahead in the ongoing battle for digital security.
Kaspersky recommends various preventive measures to mitigate financially motivated threats, including offline backups, anti-ransomware tools, and dedicated security solutions. Staying vigilant and informed about evolving malware threats is crucial in defending against cyberattacks in the ever-changing digital landscape.