Also, it doesn't only target cryptocurrency wallets, it grabs anything with financial value, so that means passwords, credit cards, and just about anything else you'd expect malware to steal. So while I don't think it's safe to copy private keys or seed phrases on such systems, if you obfuscate and scramble your keys before storing them on such infected systems (it could be as simple as encoding it in hexadecimal or base64) then I believe the command-and-control operators running Anubis will be confused and not know what this data represents, and may treat it like junk data.
It does ring a bell, {Warning}: Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely.
If we are going by the flow, it was supposedly a fork of Loki, so back tracking, the mode of attack is:
- LokiBot Impersonates Popular Game Launcher
- LokiBot Gains New Persistence Mechanism, Steganography
- Attack Using Windows Installer Leads to LokiBot
So I will assume that the 3rd attack vector is what Microsoft Engineers have seen in the wild.
No, Cerberus is not the same malware as Anubis, they have different codebases. And LokiBot is also a different malware from those two, they are developed independently of each other, and when you analyze these three viruses you should treat the as three separate threats as they don't share features unless one dev explicitly copies features from another one, and they may not even be open source making what I said impossible for them to do.
So it's not like there's this combined banking trojan threat that's out to get us all, which is what the media is making it out as. Like I said earlier, news articles don't give out specific details about how malware works.
I also think it is dangerous for the Anubis writers to replay the hacking strategies that LokiBot used, because their methods are already well documented by researchers, like the Trend Micro articles you linked to, so it makes it easier for some enterprise to detect an attempted hack and sanitize their computer systems.
There is an easy killswitch for Anubis, just turn off your phone's gyroscope because it monitors it to see if the phone moves. This is the same killswitch in Cerberus by the way, I think I wrote about that one here before. It's a common test malware authors put in to make sure the malware does not run in security researchers' emulated and hand-crafted Android sandboxes so they can't inspect it for properties and patterns.
So that means if you have an old dumb-phone running Android but it has no gyroscope in it then you cannot be infected by any of these "modern" trojans because they will stop themselves automatically and clean up their traces from your device!
A lot of malware and vulnerabilities can be mitigated by disabling specific programs in your computer. Do any of you know about Powershell? It is a scripting language that's bundled with Windows. Nobody except for developers uses it, and it is also widely used by malware to download themselves onto your computer. You can't turn it off, but you can virtually incapacitate it's ability to run scripts by running this in an Administrator Powershell:
And to enable it to run scripts again you run:
This prevents Powershell from running scripts unless they are signed by a centralized certificate issuer, and there's no way a malware author can convince one of them to sign their malware-installing script.
And to stop the vast majority of malware from being able to run their payloads in a Word document, you should disable VBScript*, another Windows scripting language that is both ancient and obsolete (and can run on Windows even if no programs are installed). Word documents can run VBScript when you interact with them but this can be abused easily. I am disappointed that it is still enabled by default. There is no effort to patch VBScript security holes because it is considered legacy software. VBScript is not used in newer software, partly because there is no documentation about VBscript, and even MS wants you to stop using it.
Here are the registry keys you need to add to completely turn it off (Warning: this might make some programs that have parts of code written a long time ago in VBscript, such as Office, stop working. If that happens, just delete the keys if you created them, or change the values from 0 to 1.)
This advice is not effective because hackers nowadays put their malware in innocent looking URLs that they send you in email messages along with some normal-looking headline. So it's easy for us to fall bait to it.