Friday, November 11, 2022

Zanubis updates with screenshot recording

As always, IOCs and targets at the end. Previous updates of this family at: https://www.entdark.net/2022/09/zanubis-latam-banking-trojan.html

The latest Zanubis sample contains overall updates to the code. Among the most interesting ones, is that they are shifting to record the screen via the MediaProjection API and use it to send to back to the C2. The functionality is triggered via socket with the command "iniciarVnc".




The crafted video from the screen recording is stored as "RecordedVideo.mp4" in external storage:


Via accessibility is has also added code to copy text from the clipboard as well as sending keystrokes remotely. It also contains a method to simulate swipes given the start and end coordinates, with the intention of controlling the victims device:



As of recent samples, it will also send the users to a government site to check their debts on app startup:


IOCs:

SHA256: https://www.virustotal.com/gui/file/e756e44290ccf5f9d6864444bbd9044c2345c60a0352de5724eb5928d29e0018/behavior

KEY: $%FLO032DFKSF234dsdf4RLOCMV@#

Banks targeted:

  • pe.com.banBifBanking.icBanking.androidUI
  • com.bbva.nxt_peru
  • pe.com.interbank.mobilebanking
  • com.mibanco.bancamovil
  • pe.com.scotiabank.blpm.android.client
  • com.bcp.bank.bcp
  • pe.com.bn.app.bancodelanacion
  • per.bf.desa
  • com.bcp.innovacxion.yapeapp
  • com.pe.cajasullana.cajamovil
  • pe.pichincha.bm
  • com.ripley.banco.peru
  • com.cmac.cajamovilaqp
  • com.cajahuancayo.cajahuancayo.appcajahuancayo
  • com.cmacica.prd
  • pe.cajapiura.bancamovil
  • pe.solera.tarjetaoh
  • com.alfinbanco.appclientes
  • pe.com.bancomercio.mobilebanking
  • com.bm_gnb_pe
  • com.zoluxiones.officebanking
  • pe.com.cajametropolitana.homebankingcml.cmlhomebanking
  • com.pe.cajacusco.movil
  • com.caja.myapplication
  • com.cajamaynas.cajamaynas
  • com.cajatacna.droid
  • com.appcajatrujillo
  • pe.com.tarjetacencosud.canales.mitarjetacencosud
  • pe.com.cajacentro
  • pe.com.prymera.digital.app
  • pe.com.compartamos.bancamovil
  • pe.confianza.bancamovil
  • id=com.credinkamovil.pe
  • pe.com.scotiabank.blpm.android.client.csf
  • com.efectivadigital.appclientes
  • com.qapaq.banking
  • pe.com.tarjetasperuanasprepago.tppapp
  • maximo.peru.pe
  • air.PrexPeru
  • pe.com.tarjetaw.neobank
  • com.fif.fpay.android.pe
  • com.cencosud.pe.metro
  • com.cencosud.pe.wong
  • com.tottus
  • com.pichincha.cashmanagement
  • com.binance.dev
  • com.gateio.gateio
  • com.google.android.apps.authenticator2
  • com.bbva.GEMA.global
  • pe.com.scotiabank.businessbanking
  • com.bcp.bank.tlc
  • com.scotiabank.telebankingapp
  • com.bitkeep.wallet
  • com.bitmart.bitmarket
  • com.bitcoin.mwallet
  • com.bbva.bbvawalletpe
  • com.bbva.lukita
  • cash.klever.blockchain.wallet
  • org.theta.wallet
  • com.wallet.crypto.trustapp
  • com.myetherwallet.mewwallet
  • pe.interbank.bie


Initial URL: https://mibegnon[.]com/wp-content/css/index.php

Socket C2: 5.252.178.86

C2:

  • http://001.kidz4lifeplus[.]org/005/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/006/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/001/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/004/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/002/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/010/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/003/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/008/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/007/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/009/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/011/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/015/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/017/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/012/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/014/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/013/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/016/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34


No comments:

Post a Comment

2023

Every year I start writing about a wrap-up of my year but I never end up finishing it. Hope this year is different. I'm starting with th...