The Android Banking Trojan Zanubis has accepted a new form and occurs as the official app for the Peruvian government organization Sunat (Superintendencia Nacional de Aduanas Y the Administración Tributaria).
Originally detected in August 2022, this malware focuses on financial and cryptocurrency users in Peru by presenting themselves as legitimate Android apps. Zanubis has misled users to provide accessibility authorizations, so that they effectively vomit control over their devices.
What distinguishes Zanubis is the increasing refinement, explained a new advice that Kaspersky published today. The Trojan uses the Obfuscapk Obfuscator for Android APK files, making it a challenge to detect.
As soon as it gets access to a victim’s device, it is deceived by a real Sunat website using webview, creating the illusion of legitimacy. The Trojan maintains communication with his controlling server via web sockets and a library called Socketet.io, which guarantees connectivity, even in unfavorable circumstances.
What is particularly worrying is the adaptability of Zanubis. In contrast to typical malware with fixed goal apps, Zanubis can be programmed remotely to steal data when specific apps are in use. Moreover, it establishes a second connection, which may grant malicious actors full control over a compromised device. To increase the threat, it can switch off a device by masking itself as an Android update.
In the same advice, Kaspersky researchers mentioned the discovery of a cryptor/charger called Asymcrypt, designed to focus on crypto portfolios and distributed by underground forums. This developed Doublefinger Loader variant serves as a gateway to the TOR network. Buyers adjust the functionality and inject malignant DLL’s hidden in coded image blobs.
The Lumma Stealer is another evolving malware descent that was recently discovered by the security researchers. Lumma, previously known as Arkei, retains 46% of its original attributes. To infect a system, this malignant software camouflages itself as a file converter from .docx to .pdf, which activates the payload when files come back with a double extension of .pdf.exe.
Lumma focuses primarily on crypto portfolios, steals in cache files, configuration files and logs. Its evolution includes the acquisition of the system process list, changed communication -urls and advanced coding techniques.
Read more about Crypto-Stealers: Satacom malware campaign steals crypto via Stealthy browser extension
Tatyana Shishkova, a main safety researcher at Kaspersky’s Great (Global Research and Analysis Team), emphasized the dynamic nature of these threats and the importance of staying informed.
“The ever-evolving landscape of Malware, illustrated by the versatile Lumma steamer and the ambitions of Zanubis as a fully-fledged bank covering, underlines the dynamic nature of these threats,” she said.
“Intelligence reports play a crucial role in keeping the latest malignant tools and attacker techniques informed, so that we are able to stay a step ahead of the ongoing struggle for digital security.”
Kaspersky advised various preventive measures, including Offline Back -upsAnti-ransomware tools and special security solutions, to reduce financially motivated threats.