Microsoft warns digital currency owners to be aware of new malware. As seen in a tweet, by Microsoft Security Intelligence (MSI) warning cryptocurrency owners who are also Windows users on August 27 that their funds in crypto wallets might be in danger because of new malware.
However, the new malware, called Anubis, seems to use code forked from Loki. It steals crypto wallet credentials, credit card details, and other valuable information from these Windows users.
Microsoft warns digital currency owners to be aware of new Malware
MSI reported the malware was first seen in June in the underground of the cybercriminal. The malware has the same name as another potent banking Trojan that has been targeting Android smartphones for months.
MSI further said that the malware seems to be controllable, stating that it has only been deployed in “what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers.”
However, some websites are tricking people into downloading Anubis. In the process, the malware steals information and sends these to command and control servers through an HTTP POST command.
MSI says it will continue to monitor the threat. Cybersecurity experts suggested that the way to avoid the download is not to click on any email that seems fishy. Because the original code Loki used social engineering techniques to target its victims, sending attachments via email, which, once clicked on, would install the malware.
According to Cointelegraph, previously another new malware was a triple threat to crypto users.
Anubis Malware The New Cybercriminal
Anubis malware is one of the newest and most potent banking malware. They have a new feature that gives hackers control over devices. These additional features allow Cybercriminals to operate silently without creating any awareness of their suspicious activities to the users. The new updated features will give hackers the ability to inspect devices and wait for the opportune time to strike. For example, one added feature allows hackers to detect when the user is looking at the phone hence preventing them from performing any nefarious activities openly. Security researchers have discovered over 17,000 new Anubis samples targeting over 377 banking applications spread in 93 countries, including the United States, Europe, and India.
The Operation of Anubis Banking Malware
The Anubis banking Trojan targets are smartphone devices running the Android Operating System. This malware gets mobile devices by trucking users to download Anubis apps disguising as other popular applications like games.
However, it mostly occurs when Android users download dodgy apps from third-party stores where security is lax. The banking malware developers have recently persisted efforts to sneak malicious apps into the Google Play Store but with limited success. Researchers discovered two apps, Currency Converter and BatterySaverMobo, used to spread Anubis. The threat actors also lure users into downloading the infected apps through phishing campaigns after stealing contact information from infected devices.
Features of Anubis Malware
Immediately the user downloads the Android banking trojan, the app monitors the device status to find the optimal time to execute attacks. The app can hijack two-factor authentication codes and hide the OTP SMS messages from the device user. Another feature allows the banking malware to detect whether the device is in motion by tapping into the motion sensor. When a device appears to be motionless for a long time, the banking malware operators conclude that the smartphone is running in a sandbox and used by researchers. They, therefore, abstain from executing attacks on the infected device.
Analysis of Anubis source code reveals that the banking malware tampers with administrative settings to view running tasks as well as create a backdoor through Virtual Network Computing (VNC). In addition to stealing banking credentials, these permissions also allow the app to record audio, gain access to the contact list for spamming, send SMS messages, and make phone calls. The banking malware app also contains a ransomware component, called AnubisCrypt, able to encrypt files on both internal and SD storage. It can also receive commands from social media apps such as Twitter, which is the most common method of sending commands through shortened links. These commands are used to send data to command and control C2 servers located worldwide, allowing the criminals to launch commands from a wide range of locations.
According to TJ Short, VP Security Operations at Cerberus Sentinel says the trojan employs ingenious methods to trick users.
“The coolest feature, though, is that once you connect to your bank, complete your MFA and finish your bank business, it will activate. So when you are finished with the transaction, it will keep the tunnel open that has already passed the MFA requirements pop up a fake ‘transaction has ended jpeg’ for you to see. At that point, it will contact the C2 server and act as a proxy gateway allowing the attacker to access your financial information.”
Cybercriminals have discovered a lucrative target in the Android mobile banking and shopping industry. Despite Google’s effort to keep malicious apps out of the Play Store, threat actors can still distribute the apps through third-party stores. Maybe this is the moment Google should reconsider allowing app installation through untrusted sources.