Wednesday, September 28, 2022

Zanubis updates their list of targets, author nickname

 In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updated and the actor has included what seems to be their nickname on the code:


As seen from the code, the actor behind these samples "6y Mr S0(k37" has also updated the key and removed the empty defaults seen in previous versions. Obfuscation has also received updated to try to slow down analysts.

The remote socket is the same address as seen in previous samples and has changed the hardcoded domain. The underlying decryption/encryption routines are the same as in previous samples, only obfuscated.

Samples:

https://www.virustotal.com/gui/file/44dd79ed23516673af9084ea8120f3d412e815ab3df36e9c7e2028363cd086de/

https://www.virustotal.com/gui/file/6f643819b96ca4b0451293954100b1739865fc593d6c75048563ac5d9a34479a

Network IOCs:

  • http[:]//92.38.190.112[:]8000/instalado
  • http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling
  • http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling&sid=T3eaWnJhJxgE-phPAFhC
  • http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=polling&sid=go4rhV3f5ps_Nu2JAFgc
  • http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=websocket&sid=T3eaWnJhJxgE-phPAFhC
  • http[:]//92.38.190.112[:]8000/socket.io/?EIO=4&transport=websocket&sid=go4rhV3f5ps_Nu2JAFgc
  • http[:]//christopherwilhelm[.]com/2/index.php?q=004&id=3ce00749dd913534
  • http[:]//christopherwilhelm[.]com/favicon.ico

Updated list of banks targeted:

  • pe.com.banBifBanking.icBanking.androidUI
  • com.bbva.nxt_peru
  • pe.com.interbank.mobilebanking
  • com.mibanco.bancamovil
  • pe.com.scotiabank.blpm.android.client
  • com.bcp.bank.bcp
  • pe.com.bn.app.bancodelanacion
  • com.falabella.falabellaApp
  • com.bcp.innovacxion.yapeapp
  • com.pe.cajasullana.cajamovil
  • pe.pichincha.bm
  • com.ripley.banco.peru
  • com.cmac.cajamovilaqp
  • com.cajahuancayo.cajahuancayo.appcajahuancayo
  • com.cmacica.prd
  • pe.cajapiura.bancamovil
  • pe.solera.tarjetaoh
  • com.alfinbanco.appclientes
  • pe.com.bancomercio.mobilebanking
  • com.bm_gnb_pe
  • com.zoluxiones.officebanking
  • pe.com.cajametropolitana.homebankingcml.cmlhomebanking
  • com.pe.cajacusco.movil
  • com.caja.myapplication
  • com.cajamaynas.cajamaynas
  • com.cajatacna.droid
  • com.appcajatrujillo
  • pe.com.tarjetacencosud.canales.mitarjetacencosud
  • pe.com.cajacentro
  • pe.com.prymera.digital.app
  • pe.com.compartamos.bancamovil
  • pe.confianza.bancamovil
  • id=com.credinkamovil.pe
  • pe.com.scotiabank.blpm.android.client.csf
  • com.efectivadigital.appclientes
  • com.qapaq.banking
  • pe.com.tarjetasperuanasprepago.tppapp
  • maximo.peru.pe
  • air.PrexPeru
  • pe.com.tarjetaw.neobank
  • com.fif.fpay.android.pe
  • com.cencosud.pe.metro
  • com.cencosud.pe.wong
  • com.tottus
  • com.pichincha.cashmanagement
  • com.banbifbancaempresasapp


11/10/23 update

A new sample emerges with a obfuscation and different key and endpoints.

VT Link: https://www.virustotal.com/gui/file/4560c27d6656bcf5f5f4d101daab3ccdd5f0edd4f5b279b66464019a7cbe9aba 


Also a rotating list of C2s to connect to:


C2 list:

  • http://001[.]safoodinc[.]com/005/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/006/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/001/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/004/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/002/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/010/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/003/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/008/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/007/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/009/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/011/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/015/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/017/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/012/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/014/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/013/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]safoodinc[.]com/016/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65

Targeted banks:
  • pe.com.banBifBanking.icBanking.androidUI
  • com.bbva.nxt_peru
  • pe.com.interbank.mobilebanking
  • com.mibanco.bancamovil
  • pe.com.scotiabank.blpm.android.client
  • com.bcp.bank.bcp
  • pe.com.bn.app.bancodelanacion
  • per.bf.desa
  • com.bcp.innovacxion.yapeapp
  • com.pe.cajasullana.cajamovil
  • pe.pichincha.bm
  • com.ripley.banco.peru
  • com.cmac.cajamovilaqp
  • com.cajahuancayo.cajahuancayo.appcajahuancayo
  • com.cmacica.prd
  • pe.cajapiura.bancamovil
  • pe.solera.tarjetaoh
  • com.alfinbanco.appclientes
  • pe.com.bancomercio.mobilebanking
  • com.bm_gnb_pe
  • com.zoluxiones.officebanking
  • pe.com.cajametropolitana.homebankingcml.cmlhomebanking
  • com.pe.cajacusco.movil
  • com.caja.myapplication
  • com.cajamaynas.cajamaynas
  • com.cajatacna.droid
  • com.appcajatrujillo
  • pe.com.tarjetacencosud.canales.mitarjetacencosud
  • pe.com.cajacentro
  • pe.com.prymera.digital.app
  • pe.com.compartamos.bancamovil
  • pe.confianza.bancamovil
  • id=com.credinkamovil.pe
  • pe.com.scotiabank.blpm.android.client.csf
  • com.efectivadigital.appclientes
  • com.qapaq.banking
  • pe.com.tarjetasperuanasprepago.tppapp
  • maximo.peru.pe
  • air.PrexPeru
  • pe.com.tarjetaw.neobank
  • com.fif.fpay.android.pe
  • com.cencosud.pe.metro
  • com.cencosud.pe.wong
  • com.tottus
  • com.pichincha.cashmanagement
  • com.binance.dev
  • com.gateio.gateio
  • com.google.android.apps.authenticator2
  • com.bbva.GEMA.global
  • pe.com.scotiabank.businessbanking
  • com.bcp.bank.tlc
  • com.scotiabank.telebankingapp
  • com.bitkeep.wallet
  • com.bitmart.bitmarket
  • com.bitcoin.mwallet
  • com.bbva.bbvawalletpe
  • com.bbva.lukita
  • cash.klever.blockchain.wallet
  • org.theta.wallet
  • com.wallet.crypto.trustapp
  • com.myetherwallet.mewwallet

Update 13/10/23

VT Link: https://www.virustotal.com/gui/file/ad729ff3963682680bbef0d1345e743938dac29792a96b6f64fd048509aea140

KEY: $%FLO032DFKSF234dsdf4RLOCMV@

Websocket: 5.252.178.55:8000

C2:
  • http://hilineinternational[.]com/favicon.ico
  • http://hilineinternational[.]com/wp-content/informes/assets/css/animate.min.css
  • http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_1.png
  • http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_2.png
  • http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_3.png
  • http://hilineinternational[.]com/wp-content/informes/imagenes/samsung/samsung_r_4.png
  • http://hilineinternational[.]com/wp-content/informes/index.php?q=002&id=c20a35c83b3b984a
  • http://hilineinternational[.]com/wp-content/informes/index.php?q=004&id=3ce00749dd913534
  • http://001.kidz4lifeplus[.]org/005/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/006/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/001/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/004/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/002/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/010/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/003/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/008/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/007/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/009/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/011/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/015/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/017/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/012/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/014/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/013/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654
  • http://001.kidz4lifeplus[.]org/016/b609642e94c68a7c022a75cf69b3123f/inicio?tg81w=cvb654

Targeted banks:
  • pe.com.banBifBanking.icBanking.androidUI
  • com.bbva.nxt_peru
  • pe.com.interbank.mobilebanking
  • com.mibanco.bancamovil
  • pe.com.scotiabank.blpm.android.client
  • com.bcp.bank.bcp
  • pe.com.bn.app.bancodelanacion
  • per.bf.desa
  • com.bcp.innovacxion.yapeapp
  • com.pe.cajasullana.cajamovil
  • pe.pichincha.bm
  • com.ripley.banco.peru
  • com.cmac.cajamovilaqp
  • com.cajahuancayo.cajahuancayo.appcajahuancayo
  • com.cmacica.prd
  • pe.cajapiura.bancamovil
  • pe.solera.tarjetaoh
  • com.alfinbanco.appclientes
  • pe.com.bancomercio.mobilebanking
  • com.bm_gnb_pe
  • com.zoluxiones.officebanking
  • pe.com.cajametropolitana.homebankingcml.cmlhomebanking
  • com.pe.cajacusco.movil
  • com.caja.myapplication
  • com.cajamaynas.cajamaynas
  • com.cajatacna.droid
  • com.appcajatrujillo
  • pe.com.tarjetacencosud.canales.mitarjetacencosud
  • pe.com.cajacentro
  • pe.com.prymera.digital.app
  • pe.com.compartamos.bancamovil
  • pe.confianza.bancamovil
  • id=com.credinkamovil.pe
  • pe.com.scotiabank.blpm.android.client.csf
  • com.efectivadigital.appclientes
  • com.qapaq.banking
  • pe.com.tarjetasperuanasprepago.tppapp
  • maximo.peru.pe
  • air.PrexPeru
  • pe.com.tarjetaw.neobank
  • com.fif.fpay.android.pe
  • com.cencosud.pe.metro
  • com.cencosud.pe.wong
  • com.tottus
  • com.pichincha.cashmanagement
  • com.binance.dev
  • com.gateio.gateio
  • com.google.android.apps.authenticator2
  • com.bbva.GEMA.global
  • pe.com.scotiabank.businessbanking
  • com.bcp.bank.tlc
  • com.scotiabank.telebankingapp
  • com.bitkeep.wallet
  • com.bitmart.bitmarket
  • com.bitcoin.mwallet
  • com.bbva.bbvawalletpe
  • com.bbva.lukita
  • cash.klever.blockchain.wallet
  • org.theta.wallet
  • com.wallet.crypto.trustapp
  • com.myetherwallet.mewwallet
  • pe.interbank.bie

28/10/23

New sample, no interesting updates so far. Keeps the same obfuscation style.

Initial URL:
  • https://prizmadigital[.]com/wp-includes/css/css/index.php
Websocket
  • http://5.252.178[.]86:8000/instalado
  • http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=polling
  • http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=polling&sid=ER-owsoQdp4H8N71AAja
  • http://5.252.178[.]86:8000/socket.io/?EIO=4&transport=websocket&sid=ER-owsoQdp4H8N71AAja
C2
  • http://001[.]kidz4lifeplus[.]org//005/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//006/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//001/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//004/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//002/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//010/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//003/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//008/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//007/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//009/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//011/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//015/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//017/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//012/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//014/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//013/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
  • http://001[.]kidz4lifeplus[.]org//016/d2802ce8a9529fb351ebd500c918d44b/inicio?pvs=gt65
Targeted banks:
  • pe.com.banBifBanking.icBanking.androidUI
  • com.bbva.nxt_peru
  • pe.com.interbank.mobilebanking
  • com.mibanco.bancamovil
  • pe.com.scotiabank.blpm.android.client
  • com.bcp.bank.bcp
  • pe.com.bn.app.bancodelanacion
  • per.bf.desa
  • com.bcp.innovacxion.yapeapp
  • com.pe.cajasullana.cajamovil
  • pe.pichincha.bm
  • com.ripley.banco.peru
  • com.cmac.cajamovilaqp
  • com.cajahuancayo.cajahuancayo.appcajahuancayo
  • com.cmacica.prd
  • pe.cajapiura.bancamovil
  • pe.solera.tarjetaoh
  • com.alfinbanco.appclientes
  • pe.com.bancomercio.mobilebanking
  • com.bm_gnb_pe
  • com.zoluxiones.officebanking
  • pe.com.cajametropolitana.homebankingcml.cmlhomebanking
  • com.pe.cajacusco.movil
  • com.caja.myapplication
  • com.cajamaynas.cajamaynas
  • com.cajatacna.droid
  • com.appcajatrujillo
  • pe.com.tarjetacencosud.canales.mitarjetacencosud
  • pe.com.cajacentro
  • pe.com.prymera.digital.app
  • pe.com.compartamos.bancamovil
  • pe.confianza.bancamovil
  • id=com.credinkamovil.pe
  • pe.com.scotiabank.blpm.android.client.csf
  • com.efectivadigital.appclientes
  • com.qapaq.banking
  • pe.com.tarjetasperuanasprepago.tppapp
  • maximo.peru.pe
  • air.PrexPeru
  • pe.com.tarjetaw.neobank
  • com.fif.fpay.android.pe
  • com.cencosud.pe.metro
  • com.cencosud.pe.wong
  • com.tottus
  • com.pichincha.cashmanagement
  • com.binance.dev
  • com.gateio.gateio
  • com.google.android.apps.authenticator2
  • com.bbva.GEMA.global
  • pe.com.scotiabank.businessbanking
  • com.bcp.bank.tlc
  • com.scotiabank.telebankingapp
  • com.bitkeep.wallet
  • com.bitmart.bitmarket
  • com.bitcoin.mwallet
  • com.bbva.bbvawalletpe
  • com.bbva.lukita
  • cash.klever.blockchain.wallet
  • org.theta.wallet
  • com.wallet.crypto.trustapp
  • com.myetherwallet.mewwallet
  • pe.interbank.bie
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

2023

Every year I start writing about a wrap-up of my year but I never end up finishing it. Hope this year is different. I'm starting with th...