In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updated and the actor has included what seems to be their nickname on the code:
The remote socket is the same address as seen in previous samples and has changed the hardcoded domain. The underlying decryption/encryption routines are the same as in previous samples, only obfuscated.
Samples:
https://www.virustotal.com/gui/file/6f643819b96ca4b0451293954100b1739865fc593d6c75048563ac5d9a34479a
Network IOCs:
- http[:]//92.38.190.112[:]8000/instalado
- http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling
- http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling&sid=T3eaWnJhJxgE-phPAFhC
- http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling&sid=go4rhV3f5ps_Nu2JAFgc
- http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=websocket&sid=T3eaWnJhJxgE-phPAFhC
- http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=websocket&sid=go4rhV3f5ps_Nu2JAFgc
- http[:]//christopherwilhelm[.]com/2/index.php?q=004&id=3ce00749dd913534
- http[:]//christopherwilhelm[.]com/favicon.ico
Updated list of banks targeted:
- pe.com.banBifBanking.icBanking.androidUI
- com.bbva.nxt_peru
- pe.com.interbank.mobilebanking
- com.mibanco.bancamovil
- pe.com.scotiabank.blpm.android.client
- com.bcp.bank.bcp
- pe.com.bn.app.bancodelanacion
- com.falabella.falabellaApp
- com.bcp.innovacxion.yapeapp
- com.pe.cajasullana.cajamovil
- pe.pichincha.bm
- com.ripley.banco.peru
- com.cmac.cajamovilaqp
- com.cajahuancayo.cajahuancayo.appcajahuancayo
- com.cmacica.prd
- pe.cajapiura.bancamovil
- pe.solera.tarjetaoh
- com.alfinbanco.appclientes
- pe.com.bancomercio.mobilebanking
- com.bm_gnb_pe
- com.zoluxiones.officebanking
- pe.com.cajametropolitana.homebankingcml.cmlhomebanking
- com.pe.cajacusco.movil
- com.caja.myapplication
- com.cajamaynas.cajamaynas
- com.cajatacna.droid
- com.appcajatrujillo
- pe.com.tarjetacencosud.canales.mitarjetacencosud
- pe.com.cajacentro
- pe.com.prymera.digital.app
- pe.com.compartamos.bancamovil
- pe.confianza.bancamovil
- id=com.credinkamovil.pe
- pe.com.scotiabank.blpm.android.client.csf
- com.efectivadigital.appclientes
- com.qapaq.banking
- pe.com.tarjetasperuanasprepago.tppapp
- maximo.peru.pe
- air.PrexPeru
- pe.com.tarjetaw.neobank
- com.fif.fpay.android.pe
- com.cencosud.pe.metro
- com.cencosud.pe.wong
- com.tottus
- com.pichincha.cashmanagement
- com.banbifbancaempresasapp
11/10/23 update
- http://001[.]safoodinc[.]com/005/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/006/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/001/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/004/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/002/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/010/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/003/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/008/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/007/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/009/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/011/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/015/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/017/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/012/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/014/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/013/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]safoodinc[.]com/016/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- pe.com.banBifBanking.icBanking.androidUI
- com.bbva.nxt_peru
- pe.com.interbank.mobilebanking
- com.mibanco.bancamovil
- pe.com.scotiabank.blpm.android.client
- com.bcp.bank.bcp
- pe.com.bn.app.bancodelanacion
- per.bf.desa
- com.bcp.innovacxion.yapeapp
- com.pe.cajasullana.cajamovil
- pe.pichincha.bm
- com.ripley.banco.peru
- com.cmac.cajamovilaqp
- com.cajahuancayo.cajahuancayo.appcajahuancayo
- com.cmacica.prd
- pe.cajapiura.bancamovil
- pe.solera.tarjetaoh
- com.alfinbanco.appclientes
- pe.com.bancomercio.mobilebanking
- com.bm_gnb_pe
- com.zoluxiones.officebanking
- pe.com.cajametropolitana.homebankingcml.cmlhomebanking
- com.pe.cajacusco.movil
- com.caja.myapplication
- com.cajamaynas.cajamaynas
- com.cajatacna.droid
- com.appcajatrujillo
- pe.com.tarjetacencosud.canales.mitarjetacencosud
- pe.com.cajacentro
- pe.com.prymera.digital.app
- pe.com.compartamos.bancamovil
- pe.confianza.bancamovil
- id=com.credinkamovil.pe
- pe.com.scotiabank.blpm.android.client.csf
- com.efectivadigital.appclientes
- com.qapaq.banking
- pe.com.tarjetasperuanasprepago.tppapp
- maximo.peru.pe
- air.PrexPeru
- pe.com.tarjetaw.neobank
- com.fif.fpay.android.pe
- com.cencosud.pe.metro
- com.cencosud.pe.wong
- com.tottus
- com.pichincha.cashmanagement
- com.binance.dev
- com.gateio.gateio
- com.google.android.apps.authenticator2
- com.bbva.GEMA.global
- pe.com.scotiabank.businessbanking
- com.bcp.bank.tlc
- com.scotiabank.telebankingapp
- com.bitkeep.wallet
- com.bitmart.bitmarket
- com.bitcoin.mwallet
- com.bbva.bbvawalletpe
- com.bbva.lukita
- cash.klever.blockchain.wallet
- org.theta.wallet
- com.wallet.crypto.trustapp
- com.myetherwallet.mewwallet
Update 13/10/23
- http://hilineinternational[.]com/favicon.ico
- http://hilineinternational[.]com/wp-content/informes/assets/css/animate.min.css
- http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_1.png
- http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_2.png
- http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_3.png
- http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_4.png
- http://hilineinternational[.]com/wp-content/informes/index.php?q=002&id=c20a35c83b3b984a
- http://hilineinternational[.]com/wp-content/informes/index.php?q=004&id=3ce00749dd913534
- http://001.kidz4lifeplus[.]org/005/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/006/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/001/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/004/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/002/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/010/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/003/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/008/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/007/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/009/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/011/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/015/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/017/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/012/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/014/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/013/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- http://001.kidz4lifeplus[.]org/016/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
- pe.com.banBifBanking.icBanking.androidUI
- com.bbva.nxt_peru
- pe.com.interbank.mobilebanking
- com.mibanco.bancamovil
- pe.com.scotiabank.blpm.android.client
- com.bcp.bank.bcp
- pe.com.bn.app.bancodelanacion
- per.bf.desa
- com.bcp.innovacxion.yapeapp
- com.pe.cajasullana.cajamovil
- pe.pichincha.bm
- com.ripley.banco.peru
- com.cmac.cajamovilaqp
- com.cajahuancayo.cajahuancayo.appcajahuancayo
- com.cmacica.prd
- pe.cajapiura.bancamovil
- pe.solera.tarjetaoh
- com.alfinbanco.appclientes
- pe.com.bancomercio.mobilebanking
- com.bm_gnb_pe
- com.zoluxiones.officebanking
- pe.com.cajametropolitana.homebankingcml.cmlhomebanking
- com.pe.cajacusco.movil
- com.caja.myapplication
- com.cajamaynas.cajamaynas
- com.cajatacna.droid
- com.appcajatrujillo
- pe.com.tarjetacencosud.canales.mitarjetacencosud
- pe.com.cajacentro
- pe.com.prymera.digital.app
- pe.com.compartamos.bancamovil
- pe.confianza.bancamovil
- id=com.credinkamovil.pe
- pe.com.scotiabank.blpm.android.client.csf
- com.efectivadigital.appclientes
- com.qapaq.banking
- pe.com.tarjetasperuanasprepago.tppapp
- maximo.peru.pe
- air.PrexPeru
- pe.com.tarjetaw.neobank
- com.fif.fpay.android.pe
- com.cencosud.pe.metro
- com.cencosud.pe.wong
- com.tottus
- com.pichincha.cashmanagement
- com.binance.dev
- com.gateio.gateio
- com.google.android.apps.authenticator2
- com.bbva.GEMA.global
- pe.com.scotiabank.businessbanking
- com.bcp.bank.tlc
- com.scotiabank.telebankingapp
- com.bitkeep.wallet
- com.bitmart.bitmarket
- com.bitcoin.mwallet
- com.bbva.bbvawalletpe
- com.bbva.lukita
- cash.klever.blockchain.wallet
- org.theta.wallet
- com.wallet.crypto.trustapp
- com.myetherwallet.mewwallet
- pe.interbank.bie
28/10/23
- https://prizmadigital[.]com/wp-includes/css/css/index.php
- http://5.252.178[.]86:8000/instalado
- http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=polling
- http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=polling&sid=ER-owsoQdp4H8N71AAja
- http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=websocket&sid=ER-owsoQdp4H8N71AAja
- http://001[.]kidz4lifeplus[.]org//005/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//006/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//001/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//004/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//002/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//010/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//003/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//008/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//007/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//009/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//011/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//015/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//017/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//012/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//014/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//013/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- http://001[.]kidz4lifeplus[.]org//016/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
- pe.com.banBifBanking.icBanking.androidUI
- com.bbva.nxt_peru
- pe.com.interbank.mobilebanking
- com.mibanco.bancamovil
- pe.com.scotiabank.blpm.android.client
- com.bcp.bank.bcp
- pe.com.bn.app.bancodelanacion
- per.bf.desa
- com.bcp.innovacxion.yapeapp
- com.pe.cajasullana.cajamovil
- pe.pichincha.bm
- com.ripley.banco.peru
- com.cmac.cajamovilaqp
- com.cajahuancayo.cajahuancayo.appcajahuancayo
- com.cmacica.prd
- pe.cajapiura.bancamovil
- pe.solera.tarjetaoh
- com.alfinbanco.appclientes
- pe.com.bancomercio.mobilebanking
- com.bm_gnb_pe
- com.zoluxiones.officebanking
- pe.com.cajametropolitana.homebankingcml.cmlhomebanking
- com.pe.cajacusco.movil
- com.caja.myapplication
- com.cajamaynas.cajamaynas
- com.cajatacna.droid
- com.appcajatrujillo
- pe.com.tarjetacencosud.canales.mitarjetacencosud
- pe.com.cajacentro
- pe.com.prymera.digital.app
- pe.com.compartamos.bancamovil
- pe.confianza.bancamovil
- id=com.credinkamovil.pe
- pe.com.scotiabank.blpm.android.client.csf
- com.efectivadigital.appclientes
- com.qapaq.banking
- pe.com.tarjetasperuanasprepago.tppapp
- maximo.peru.pe
- air.PrexPeru
- pe.com.tarjetaw.neobank
- com.fif.fpay.android.pe
- com.cencosud.pe.metro
- com.cencosud.pe.wong
- com.tottus
- com.pichincha.cashmanagement
- com.binance.dev
- com.gateio.gateio
- com.google.android.apps.authenticator2
- com.bbva.GEMA.global
- pe.com.scotiabank.businessbanking
- com.bcp.bank.tlc
- com.scotiabank.telebankingapp
- com.bitkeep.wallet
- com.bitmart.bitmarket
- com.bitcoin.mwallet
- com.bbva.bbvawalletpe
- com.bbva.lukita
- cash.klever.blockchain.wallet
- org.theta.wallet
- com.wallet.crypto.trustapp
- com.myetherwallet.mewwallet
- pe.interbank.bie