A new bank Trojan, BankBot Anubis was found PhishLabs

According to the cybersecurity company PhishLabs, they discovered a new variant of the bank Trojan BankBot on the 5th of this month and are now disguised as legitimate applications of Adobe Flash Player, Avito, and HD Video Player.

PhishLabs said that a new variant named BankBot Anubis has taken the mobile threat to a new level. It combines features that originally belong to many different types of malware, including Ransomware functionality, keylogger functionality, remote access trojans (RAT) capabilities, SMS blocking capabilities, call forwarding and locking Screen function.

Prior to Anubis, LokiBot was the first Android banking Trojan to incorporate ransomware functionality. And now, the emergence of Anubis means that the developers behind BankBot are further improving their code quality.

Anubis’s configuration is stored in a file called “set.xml” and there are several entries related to the new ransomware feature. Such as ‘htmllocker’, it will provide the HTML code to achieve the lock screen function after the malicious application is installed successfully.

This feature makes it easy for us to think of other ransomware that locks the screen, but they simply prevent the victim from accessing the phone interface, and Anubis really implements the ransomware feature. Its cryptographic module encrypts files with a 256-bit symmetric key and appends an extension to the encrypted file. AnubisCrypt.

In addition to the aforementioned ransomware features, Anubis also implements remote access to RAT functionality. The commands provided by the RAT service include open directories, download files, delete files and folders, start and stop VNC, and stop and start recording. This feature allows an attacker to directly manipulate the file system and monitor the victim’s activities.

In addition, Anubis also implements keylogger functionality, including the name of the log file. The ability to record sounds and record keystrokes make Anubis powerful and aggressive.

Although Anubis incorporates many new features, it is still a banking Trojan because it is developed based on the BankBot source code. Like most Android banking Trojans, Anubis monitors the launch of the target application and then overlays the legitimate application with the corresponding fishing screen to steal the victim’s credentials. Finally, it will also use its SMS blocking feature to intercept any subsequent security code sent by the bank.

[adsense size='1' ]

PhishLabs stated that they have discovered a total of 275 different applications worldwide that carry Anubis, including 29 applications related to cryptocurrency. According to the sample command and control (C&C) server domain name display, most of them are registered from Japan, Moldova, and France, and the infrastructure is hosted on servers located in Ukraine, Germany, and the Netherlands.

Source, Image: phishlabs