The Android banking Trojan Zanubis has adopted a new disguise as the official app for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria). This malware targets users in Peru who use financial and cryptocurrency apps by pretending to be legitimate Android apps. Zanubis tricks users into granting Accessibility permissions, which effectively hands over control of their devices.
What makes Zanubis unique is its increasing sophistication, as explained in a recent advisory by Kaspersky. The Trojan utilizes the Obfuscapk obfuscator for Android APK files, making it difficult to detect.
Once it gains access to a victim’s device, it creates the illusion of legitimacy by loading a genuine SUNAT website using WebView. The Trojan communicates with its controlling server through WebSockets and a library called Socket.IO, ensuring connectivity even in unfavorable conditions.
One concerning aspect of Zanubis is its adaptability. Unlike typical malware that focuses on specific target apps, Zanubis can be remotely programmed to steal data when certain apps are being used. It also establishes a second connection, potentially giving malicious actors complete control over a compromised device. Additionally, it can disable a device by impersonating an Android update.
In the same advisory, Kaspersky researchers also discovered a cryptor/loader called AsymCrypt, intended to target crypto wallets and distributed through underground forums. This evolved DoubleFinger loader variant serves as a gateway to the TOR network. Buyers can customize its functionality by injecting malicious DLLs hidden within encrypted image blobs.
Another evolving malware lineage recently discovered by security researchers is the Lumma stealer, previously known as Arkei. Lumma retains 46% of its original attributes. This malicious software disguises itself as a file converter from .docx to .pdf and activates its payload when files return with a double extension of .pdf.exe.
Lumma primarily targets crypto wallets and steals cached files, configuration files, and logs. Its evolution includes acquiring the system process list, using altered communication URLs, and employing advanced encryption techniques.
According to Tatyana Shishkova, a lead security researcher at Kaspersky’s GReAT (Global Research and Analysis Team), these threats are constantly evolving, highlighting the importance of staying informed.
“The ever-evolving landscape of malware, exemplified by the multifaceted Lumma stealer and the ambitions of Zanubis as a full-fledged banking Trojan, underscores the dynamic nature of these threats,” she said.
“Intelligence reports play a pivotal role in keeping up with the latest malicious tools and attacker techniques, empowering us to stay one step ahead in the ongoing battle for digital security.”
Kaspersky recommends several preventive measures, including offline backups, anti-ransomware tools, and dedicated security solutions, to mitigate financially motivated threats.