entdark's blog

  The malware, dubbed MammothFraud from one of the logging strings МАМОНТИЗАЦИЯ!   checks for the android.permission.CALL_PHONE permission and also that the SDK is greater than 26. If positive, it will attempt to introduce an USSD code to obtain the mobile phone number. For example, *111*0887# for the MTS RU provider. When the permissions are not granted by the user, it will prompt the user with a message to allow the requested permissions. In the list there are other telecom providers from Uzbekistan, Ukraine and Russia with USSD codes present. A list of the permissions requested: android.permission.CALL_PHONE android.permission.READ_SMS android.permission.READ_PHONE_STATE android.permission.SEND_SMS android.permission.RECEIVE_SMS android.permission.POST_NOTIFICATIONS In case there are active SIM cards in the device, the sample registers broadcast receivers for handling specific SMS-related events and for shutdown events. It also verifies whether the following applications are insta

As always, IOCs and targets at the end. Previous updates of this family at:  https://www.entdark.net/2022/09/zanubis-latam-banking-trojan.html The latest Zanubis sample contains overall updates to the code. Among the most interesting ones, is that they are shifting to record the screen via the MediaProjection API and use it to send to back to the C2. The functionality is triggered via socket with the command "iniciarVnc". The crafted video from the screen recording is stored as "RecordedVideo.mp4" in external storage: Via accessibility is has also added code to copy text from the clipboard as well as sending keystrokes remotely. It also contains a method to simulate swipes given the start and end coordinates, with the intention of controlling the victims device: As of recent samples, it will also send the users to a government site to check their debts on app startup: IOCs: SHA256: https://www.virustotal.com/gui/file/e756e44290ccf5f9d6864444bbd9044c2345c60a0352de572

As always, IOCs at the end.  Characteristics: Uses IRC to send data to the attacker and FTP. Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service. Get list of applications Send SMS using the device. Requests several permissions: android.permission.INTERNET android.permission.READ_EXTERNAL_STORAGE android.permission.RECEIVE_BOOT_COMPLETED android.permission.REBOOT android.permission.CALL_PHONE android.permission.READ_SMS android.permission.READ_CONTACTS android.permission.SEND_SMS android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_CALL_LOG android.permission.SYSTEM_ALERT_WINDOW Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country.  The IP the duckdns serves the APK from is from Spain. Useful links: Virustotal Graph: https://www.virustotal.com/graph/embed/g1f66b84527234df186946867ace02cc1d175d8dd4bd045cf948261dd16565c7d  Virustotal Collection: https://www.virusto