New Android Malware ‘Zanubis’ Disguises Itself as a Governmental Organization

A recent study by Securelist sheds light on ASMCrypt, a cryptor/loader variant discovered in underground forums associated with the DoubleFinger loader. Researchers have also highlighted the emergence of new versions of Lumma stealer and Zanubis Android banking malware.

ASMCrypt was found through an advertisement, demonstrating features designed to evade AV/EDR detection, closely resembling the DoubleFinger loader. Strong suspicions suggest that ASMCrypt is an evolved iteration of DoubleFinger, potentially acting as a ‘front’ for a TOR network service, albeit with operational differences.

Buyers of ASMCrypt receive the binary, establishing a connection to the malware’s TOR backend using predefined credentials, and then accessing the options menu.

These options encompass various elements, such as stealth and invisible injection methods, payload injection processes, startup persistence folder name, and disguising the malware as either Apple QuickTime or a legitimate application sideloading the malicious DLL.

options menu asmcrypt

Upon selecting options and initiating the build process, the application conceals an encrypted blob within a .png file, which is then uploaded to an image hosting site. Concurrently, cybercriminals develop and distribute the malicious DLL or binary.

Lumma Malware

As Securelist reports, Lumma, written in C++, and also recognized by aliases like Arkei stealer, has been stealing cryptocurrency wallet data since May 2018. The most recent variant, Lumma, has a 46% overlap with Arkei. It spreads through a deceptive website, posing as a .docx to .pdf converter, and made its first appearance in August 2022.

debugging sample

Zanubis Malware

Zanubis, an Android banking trojan, emerged in August 2022, primarily targeting financial and cryptocurrency users in Peru. It camouflages itself as a legitimate Android app from Peruvian governmental organizations, gaining control by deceiving users into granting Accessibility permissions. Recent samples surfaced in April 2023, with one of them impersonating the official SUNAT app, demonstrating increasing levels of sophistication.