Zanubis LATAM Banking Trojan
Brief note: I analyzed this sample I found thanks to MHT's tweet https://twitter.com/malwrhunterteam/status/1564972377452298245?s=20&t=hqLnACKdbcCOPLjLrNMfyw
07/09/2022 update at the end.
This is the first time I see this sample, not sure if there is more documentation about it (if there is, please let me know). I am going to refer to this sample as Zanubis from now on, the reasoning behind this is the decryption key being Zanubis in the sample I analyzed. At the end, IOCs, SHA256 and targeted banks can be found.
At the time of this writing, the samples were not packed and still contained logging from the authors. These samples are likely still not final versions.
This is an overlay-based banking trojan abusing accessibility, the infection method the standard one and it stores a list of applications in shared_preferences. It is focused on targeting LATAM banks and in this sample it focuses on Peru banks.
On startup, the ServerPrimerosPasos() method is called and retrieves the following information:
List of contacts of the device
List of installed applications
Device data which includes:
It checks for the brand of the device and checks specifically for Motorola, Samsung and Huawei devices.
Ignore battery optimizations.
This information is formatted and sent to the remote server via websockets:
Once the sample is installed in the victims device, it uses the hardcoded initial URL to post data to a remote server. After the first post, the next ones will receive encrypted strings from both the trojan and the server:
|Initial data sent (on install)|
|Response received (on install)|
The vistas package contains all the code related to Views and WebViews, including tests and customized views to request the SMS, Battery and accessibility permissions. The authors have left some logging comments in the sample. Likely to debug their code:
Log.e("vista alerta", "en teoria se esta creando la ventana");
Information is posted to the remote server via the NotificarPost method:
The class called Configuracion stores the default configuration of the sample. The most important information that is stored here for us is:
KEY_STR: Used to encrypt messages as seen in the ServerPrimerosPasos() screenshots
SOCKET_SERVER: Remote address to open a WebSocket. This websocket exposes the following commands:
config_packages: Returns the list of installed packages in the system
desinstalar_app and eliminar_app: Deletes the target application
bloquear_telefono: Locks the screen
notificacion: Sends a push notification to the user. The message is received from the socket and decrypted
enviar_sms: Sends an SMS
permiso_contacto: Requests the contacts permiso
permiso_sms: Get SMS permission
rev_permiso_sms: Reset SMS permission
unlock_package: Allow the target package to be uninstalled
Next are some code snippets related to the previous commands:
To encrypt and decrypt data it has implemented a class named Cripto where all the methods for both encryption/decryption of strings are stored.
The overlays work by checking the list of packages to monitor from pref_config_package and then it will check it whenever an application opens:
If the application is in the list of targets then a WebView will be overlayed on the victims device.