As always, IOCs and targets at the end. Previous updates of this family at: https://www.entdark.net/2022/09/zanubis-latam-banking-trojan.html
The latest Zanubis sample contains overall updates to the code. Among the most interesting ones, is that they are shifting to record the screen via the MediaProjection API and use it to send to back to the C2. The functionality is triggered via socket with the command "iniciarVnc".
The crafted video from the screen recording is stored as "RecordedVideo.mp4" in external storage:
Via accessibility is has also added code to copy text from the clipboard as well as sending keystrokes remotely. It also contains a method to simulate swipes given the start and end coordinates, with the intention of controlling the victims device:
As of recent samples, it will also send the users to a government site to check their debts on app startup:
IOCs:
SHA256: https://www.virustotal.com/gui/file/e756e44290ccf5f9d6864444bbd9044c2345c60a0352de5724eb5928d29e0018/behavior
KEY: $%FLO032DFKSF234dsdf4RLOCMV@#
Banks targeted:
- pe.com.banBifBanking.icBanking.androidUI
- com.bbva.nxt_peru
- pe.com.interbank.mobilebanking
- com.mibanco.bancamovil
- pe.com.scotiabank.blpm.android.client
- com.bcp.bank.bcp
- pe.com.bn.app.bancodelanacion
- per.bf.desa
- com.bcp.innovacxion.yapeapp
- com.pe.cajasullana.cajamovil
- pe.pichincha.bm
- com.ripley.banco.peru
- com.cmac.cajamovilaqp
- com.cajahuancayo.cajahuancayo.appcajahuancayo
- com.cmacica.prd
- pe.cajapiura.bancamovil
- pe.solera.tarjetaoh
- com.alfinbanco.appclientes
- pe.com.bancomercio.mobilebanking
- com.bm_gnb_pe
- com.zoluxiones.officebanking
- pe.com.cajametropolitana.homebankingcml.cmlhomebanking
- com.pe.cajacusco.movil
- com.caja.myapplication
- com.cajamaynas.cajamaynas
- com.cajatacna.droid
- com.appcajatrujillo
- pe.com.tarjetacencosud.canales.mitarjetacencosud
- pe.com.cajacentro
- pe.com.prymera.digital.app
- pe.com.compartamos.bancamovil
- pe.confianza.bancamovil
- id=com.credinkamovil.pe
- pe.com.scotiabank.blpm.android.client.csf
- com.efectivadigital.appclientes
- com.qapaq.banking
- pe.com.tarjetasperuanasprepago.tppapp
- maximo.peru.pe
- air.PrexPeru
- pe.com.tarjetaw.neobank
- com.fif.fpay.android.pe
- com.cencosud.pe.metro
- com.cencosud.pe.wong
- com.tottus
- com.pichincha.cashmanagement
- com.binance.dev
- com.gateio.gateio
- com.google.android.apps.authenticator2
- com.bbva.GEMA.global
- pe.com.scotiabank.businessbanking
- com.bcp.bank.tlc
- com.scotiabank.telebankingapp
- com.bitkeep.wallet
- com.bitmart.bitmarket
- com.bitcoin.mwallet
- com.bbva.bbvawalletpe
- com.bbva.lukita
- cash.klever.blockchain.wallet
- org.theta.wallet
- com.wallet.crypto.trustapp
- com.myetherwallet.mewwallet
- pe.interbank.bie
Initial URL: https://mibegnon[.]com/wp-content/css/index.php
Socket C2: 5.252.178.86
C2:
- http://001.kidz4lifeplus[.]org/005/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/006/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/001/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/004/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/002/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/010/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/003/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/008/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/007/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/009/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/011/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/015/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/017/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/012/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/014/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/013/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
- http://001.kidz4lifeplus[.]org/016/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
No comments:
Post a Comment