back Back

Cryptocurrency threats and banking trojans: what are they?

By Puja Sharma

October 03, 2023

  • an
  • Banking fraud
  • Crypto
Share

Banking, Cryptocurrency

Kaspersky experts have analyzed a recent campaign by Zanubis, a banking Trojan distinguished by its adeptness at assuming the guise of legitimate applications

The investigation also sheds light on the recently AsymCrypt cryptor/loader and the evolving Lumma stealer, underscoring the increasing need for enhanced digital security.

Zanubis, an Android banking trojan, surfaced in August 2022, targeting financial and crypto users in Peru. Impersonating legitimate Peruvian Android apps, it tricks users into granting Accessibility permissions, surrendering control.

In April 2023, Zanubis evolved, posing as the official app for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria), showcasing increased sophistication. Zanubis is obfuscated with the help of Obfuscapk, a popular obfuscator for Android APK files. Once it gets permission to access the device, it tricks a victim by loading a real SUNAT website using WebView, making it seem legitimate.

To communicate with its controlling server, it uses WebSockets and a library called Socket.IO. This allows it to adapt and stay connected even if there are issues. Unlike other malware, Zanubis doesn’t have a fixed list of target apps. Instead, it can be programmed remotely to steal data when specific apps are running. This malware even creates a second connection, which could give the bad actors full control over your device. And the worst part is, it can disable your device by pretending to be an Android update.

Another recent discovery made by Kaspersky is AsymCrypt cryptor/loader, which targets crypto wallets and is being sold on underground forums. As the investigation showed, it is an evolved DoubleFinger loader version, acting as a “front” to a TOR network service. Buyers customize injection methods, target processes, startup persistence, and stub types for malicious DLLs, concealing the payload in an encrypted blob within a .png image uploaded to an image hosting site. Execution decrypts the image, activating the payload in memory.

Kaspersky’s tracking of cyber threats has also led to the Lumma stealer, an evolving malware lineage. Originally known as Arkei, the rebranded Lumma retains 46% of its former attributes. Disguised as a .docx to .pdf converter, its deceptive distribution triggers the malicious payload when uploaded files return with a double extension .pdf.exe. Over time, the main functionality of all the variants has remained the same: stealing cached files, configuration files and logs from crypto wallets. It can do this by acting as a browser plugin, but it also supports the standalone Binance application. Lumma’s evolution includes acquiring system process lists, changing communication URLs, and advancing encryption techniques.

“Cybercriminals are relentless in their pursuit of monetary gain, venturing into the world of cryptocurrencies and even impersonating government institutions to achieve their objectives. The ever-evolving landscape of malware, exemplified by the multifaceted Lumma stealer and the ambitions of Zanubis as a full-fledged banking Trojan, underscores the dynamic nature of these threats. Adapting to this constant transformation in malicious code and cybercriminal tactics poses an ongoing challenge for defense teams.

To safeguard against these evolving dangers, organizations must remain vigilant and well-informed. Intelligence reports play a pivotal role in keeping abreast of the latest malicious tools and attacker techniques, empowering us to stay one step ahead in the ongoing battle for digital security,” said Tatyana Shishkova, a lead security researcher at GReAT.

Previous Article

October 03, 2023

ANZ Worldline Payment Solutions chooses Alipay+ to accept payments in Australia

Read More
Next Article

October 03, 2023

Banks of Oman and India join hands to simplify money transfer

Read More






IBSi FinTech Journal

  • Most trusted FinTech journal since 1991
  • Digital monthly issue
  • 60+ pages of research, analysis, interviews, opinions, and rankings
  • Global coverage
Subscribe Now

Other Related News

December 06, 2024

The Weekly Wrap: all you need to know by Friday COB | December 6th

Read More

December 05, 2024

The Deep dive: AI and Data drive compliance evolution

Read More

December 04, 2024

UK Data Bill: big wins for financial services—act now or be left behind!

Read More

Related Reports

Sales League Table Report 2024
Know More
Global Digital Banking Vendor & Landscape Report Q3 2024
Know More
NextGen WealthTech: The Trends To Shape The Future Q4 2023
Know More
IBSi Spectrum Report: Supply Chain Finance Platforms Q4 2023
Know More
Treasury & Capital Markets Systems Report Q1 2024
Know More