Author

Topic: Anubis: A fork malware which targets crypto currency wallets (Read 344 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
This strain of malware already existed before, since a couple of years ago. Malpedia has a dump of whitepapers about it and Mitre nicely lists the attacks it can make. Microsoft only made a tweet about Anubis but I don't see any new whitepapers written about it, or new information about Anubis on the news. So I don't think there is a new strain of Anubis in the wild, I think we are just talking about the same old version.

Also, it doesn't only target cryptocurrency wallets, it grabs anything with financial value, so that means passwords, credit cards, and just about anything else you'd expect malware to steal. So while I don't think it's safe to copy private keys or seed phrases on such systems, if you obfuscate and scramble your keys before storing them on such infected systems (it could be as simple as encoding it in hexadecimal or base64) then I believe the command-and-control operators running Anubis will be confused and not know what this data represents, and may treat it like junk data.

Anubis rang a bell, and I thought this was old news from at least 2018/2019, when a banking targeting malware was on the loose.

It does ring a bell, {Warning}: Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely.

If we are going by the flow, it was supposedly a fork of Loki, so back tracking, the mode of attack is:


So I will assume that the 3rd attack vector is what Microsoft Engineers have seen in the wild.

No, Cerberus is not the same malware as Anubis, they have different codebases. And LokiBot is also a different malware from those two, they are developed independently of each other, and when you analyze these three viruses you should treat the as three separate threats as they don't share features unless one dev explicitly copies features from another one, and they may not even be open source making what I said impossible for them to do.

So it's not like there's this combined banking trojan threat that's out to get us all, which is what the media is making it out as. Like I said earlier, news articles don't give out specific details about how malware works.

I also think it is dangerous for the Anubis writers to replay the hacking strategies that LokiBot used, because their methods are already well documented by researchers, like the Trend Micro articles you linked to, so it makes it easier for some enterprise to detect an attempted hack and sanitize their computer systems.



There is an easy killswitch for Anubis, just turn off your phone's gyroscope because it monitors it to see if the phone moves. This is the same killswitch in Cerberus by the way, I think I wrote about that one here before. It's a common test malware authors put in to make sure the malware does not run in security researchers' emulated and hand-crafted Android sandboxes so they can't inspect it for properties and patterns.

So that means if you have an old dumb-phone running Android but it has no gyroscope in it then you cannot be infected by any of these "modern" trojans because they will stop themselves automatically and clean up their traces from your device!  Cheesy

A lot of malware and vulnerabilities can be mitigated by disabling specific programs in your computer. Do any of you know about Powershell? It is a scripting language that's bundled with Windows. Nobody except for developers uses it, and it is also widely used by malware to download themselves onto your computer. You can't turn it off, but you can virtually incapacitate it's ability to run scripts by running this in an Administrator Powershell:

Code:
Set-ExecutionPolicy -ExecutionPolicy AllSigned

And to enable it to run scripts again you run:

Code:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

This prevents Powershell from running scripts unless they are signed by a centralized certificate issuer, and there's no way a malware author can convince one of them to sign their malware-installing script.

And to stop the vast majority of malware from being able to run their payloads in a Word document, you should disable VBScript*, another Windows scripting language that is both ancient and obsolete (and can run on Windows even if no programs are installed). Word documents can run VBScript when you interact with them but this can be abused easily. I am disappointed that it is still enabled by default. There is no effort to patch VBScript security holes because it is considered legacy software. VBScript is not used in newer software, partly because there is no documentation about VBscript, and even MS wants you to stop using it.

Here are the registry keys you need to add to completely turn it off (Warning: this might make some programs that have parts of code written a long time ago in VBscript, such as Office, stop working. If that happens, just delete the keys if you created them, or change the values from 0 to 1.)

1. never click on any suspicious links specially shortened URL's

This advice is not effective because hackers nowadays put their malware in innocent looking URLs that they send you in email messages along with some normal-looking headline. So it's easy for us to fall bait to it.
hero member
Activity: 1344
Merit: 540
Honestly anyone dealing with cryptocurrencies by now should already be using Linux or at least give it a try. Windows is constantly being attacked and antivirus or anti-malware programs are definitely not the solution as they can also be attacked and give a false sense of security. For starters, give Linux Mint a try.
I understand, but not everyone who deals in crypto are technically incline though, heck even others have problems creating their own wallet and how to store and protect their private keys. I also have Linux Mint installed on my other machines, and I enjoyed working on it. But sometimes applications I still need some G based applications.
full member
Activity: 924
Merit: 221
We should be all aware on the things that happen in the internet to keep as away being a target of phishing or hacking especially when it involves in cryptocurrency funds. This is clearly a work of the hackers and no one will going to like lossing the cryptofunds in the wallet which we think were trusted.

I have come accross another thread about the installation of a certain application that looks like a malware that can access important details of the computer or device where the application were being installed. I have to be cautious anytime when installing or clicking links that are fakes.

Since there indicators of fake links and site already then I can avoid it somehow. Probably a good attitude in browsing the net is to bookmark sites that are always visited or to check link first if it is legit or right.
legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
@JakobFugger,
Quote
btw Anubis  It is the Greek God who guided the dead in the underworld;
Actually he was the Egyptian god of mummification and the afterlife as well as the patron god of lost souls and the helpless. He is one of the oldest gods of Egypt, who most likely developed from the earlier (and much older) jackal god Wepwawet with whom he is often confused.
Just clearing that up...

As for the malware, not surprised at all. As others have said, be very careful when surfing the 'net and along with a good AV always use a JAVAscipt blocker such as NoScript.
jr. member
Activity: 75
Merit: 2
Honestly anyone dealing with cryptocurrencies by now should already be using Linux or at least give it a try. Windows is constantly being attacked and antivirus or anti-malware programs are definitely not the solution as they can also be attacked and give a false sense of security. For starters, give Linux Mint a try.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I use Kaspersky internet security but as being said, any AV or Internet security software only can give you second layer of protection / prevention. Companies need time to update their database so that if you have bad web surfing style, you put your devices and your accounts, identities, fund at risk.

I think AV companies act very fast when it comes to refreshing their definition databases, it's not something that happens once a week or a month as an update for Windows OS. Of course there is also heuristic analysis that can detect the virus even if it is not in the database, and that component is very important. 

It is crucial that this virus, like most others, spreads in the usual ways - so you only need to turn on the brain when using the Internet, because any infection of the device is the result of irresponsible behavior. Although I use a hardware wallet, the computer I use for crypto is under special usage measures, which means there is no torrent, no suspicious pages and everything has to be up to date. For everything else I use another device and I think this is the minimum safety precautions that everyone should apply.
hero member
Activity: 2632
Merit: 833
Funny that they announce they saw it first being sold in the DarkNet markets. That is, they probably bought it. Would that be a crime? I don't know what the legislation is for this type of event, but I found it curious.

Perhaps those cyber threat investigators are also frequenting the DarkNet markets to see what's going on specially regarding malwares/virus/data breaches being sold. And then they go one step forward to investigate or yeah, maybe acquire the virus itself to understand how it really works.

Now, what I didn't understand is about the wallets. It is a virus that steals data. Does he steal the data to access a wallet? Could they send the .file too? I think it is more likely it will steal pass and user from exchanges.

If you look at its predecessors, one method to spread is if you download a malicious installer, then it downloads a payload. Then is has total control of your pc's. So if it has total control of your pc then he can do everything without you noticing it. Including being persistence, watching your passwords and your crypto wallets.
member
Activity: 135
Merit: 49
Funny that they announce they saw it first being sold in the DarkNet markets. That is, they probably bought it. Would that be a crime? I don't know what the legislation is for this type of event, but I found it curious.

Now, what I didn't understand is about the wallets. It is a virus that steals data. Does he steal the data to access a wallet? Could they send the .file too? I think it is more likely it will steal pass and user from exchanges.

btw Anubis  It is the Greek God who guided the dead in the underworld;
legendary
Activity: 2576
Merit: 1655
Anubis rang a bell, and I thought this was old news from at least 2018/2019, when a banking targeting malware was on the loose.

It does ring a bell, {Warning}: Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely.

If we are going by the flow, it was supposedly a fork of Loki, so back tracking, the mode of attack is:


So I will assume that the 3rd attack vector is what Microsoft Engineers have seen in the wild.
hero member
Activity: 1288
Merit: 504
These pop-ups are always very tempting. Especially for people that subscribes to just too many and any platforms and the thing about technology is coding. Where there are series of security procedures, there are also codes to by pass them if need be.
No wonder these sections are been exploit by a lot of persons for a lot of reasons. These codes are planted in the variety of pop-ups or mails one receives and upon clicking, it's like an entry permit for the malware to operate. You've just got to learn to avoid and also, not to input your details or activate notifications to the extent that you get confused. It raises your vulnerability.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
So which Internet security or antivirus software do you recommend for us? or anyone who know these programs well can tell us here what kind of Anti-virus would be enough to detect this new malware. there are tons of them in the market, I just want to know more information before saving some money to buy one.
I use Kaspersky internet security but as being said, any AV or Internet security software only can give you second layer of protection / prevention. Companies need time to update their database so that if you have bad web surfing style, you put your devices and your accounts, identities, fund at risk.

There are some free but I don't recommend anyone to use free if you are seriously invest in crypto.

I prepare Kaspersky for my devices but the one I use to trade daily, I don't store my wallets, seeds, keys on it. Use strong passwords, activate 2FA (I don't use the phone I installed my 2FAs to trade. It is mostly offline) are other things. Wink
hero member
Activity: 2268
Merit: 588
You own the pen
Again, we should always have a good security practices;

1. never click on any suspicious links specially shortened URL's
2. update our OS
3. Train our eyes, educate ourselves, stay vigilant
4. back up our data regularly
Good but not enough so please give me chance to support your advice with this point

  • Allocate part of your capital to buy Internet security or antivirus softwares to protect your devices.

Your suggested solutions are first layer of prevention and protection, the second one is mine. "Prevention and protection are better than cure." Crypto transactions are irreversible so the statement makes more sense.

So which Internet security or antivirus software do you recommend for us? or anyone who know these programs well can tell us here what kind of Anti-virus would be enough to detect this new malware. there are tons of them in the market, I just want to know more information before saving some money to buy one.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
Again, we should always have a good security practices;

1. never click on any suspicious links specially shortened URL's
2. update our OS
3. Train our eyes, educate ourselves, stay vigilant
4. back up our data regularly
Good but not enough so please give me chance to support your advice with this point

  • Allocate part of your capital to buy Internet security or antivirus softwares to protect your devices.

Your suggested solutions are first layer of prevention and protection, the second one is mine. "Prevention and protection are better than cure." Crypto transactions are irreversible so the statement makes more sense.
full member
Activity: 924
Merit: 221
Nowadays, users with average knowledge on computer but has the love to cryptocurrency might become a victim of these swindlers. We cannot force also users not to join cryptocurrency if they had only few knowledge even if they are having hard time the basic to learn about cryptocurrency. However, we could still help them out like having these posts OP did. Starting a thread regarding on the new trend of phishing or scamming would be a better way to educate people about cryptocurrency. This we could also help to bring down the number of getting scam over the period of time. All users must be vigilant about this and share.
legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
Swindlers in the cryptocurrency space have become a constant phenomenon. Thus, they will constantly look for ways to hack wallets. There are thousands of instructions on the forum that warn users to use their assets carefully. But despite this, there are still those who lose their money.
Knowing the basics of safe Internet use has become the number one rule. But knowledge alone does not always help. Constant monitoring of news related to cryptocurrency protection will prevent many from accidental losses.
You should always blame only yourself, for your carelessness, and draw conclusions for the future so as not to repeat such mistakes.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Anubis rang a bell, and I thought this was old news from at least 2018/2019, when a banking targeting malware was on the loose.

It turns out that this Anubis is not the same (who ever baptised it could have avoided name collision in order to make it less confusing) as that Anubis:
Quote
Importantly, this malware is distinct from a family of Android banking malware also called Anubis.  It joins a growing list of malwares that look for vulnerable cryptocurrency stashes. 
Unfortunately, Microsoft seems to have omitted providing the details yet with concrete examples and measure of current impact, although a partner director of security research at Microsoft stated that "it is downloaded from certain websites", which is not much to go by (except for the always be extremely wary of what and from where you download).

See: https://www.coindesk.com/malware-anubis-cryptocurrency-wallets
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
1. never click on any suspicious links specially shortened URL's
2. update our OS
3. Train our eyes, educate ourselves, stay vigilant
4. back up our data regularly
You are absolutely right, there are new forsm of malware as time passes, but the preventive measures are still the same. If we can use the same old preventibe measure, then we will be good. But many people do not know about this, all they know is to visit social media, click on any link they wish to. People also like free giveaways, the link to the giveaway can contain malware links. Also, some people like scam businesses like cloud mining, the site to the cloud mining can also contain malware. How about airdrops that steal information from someone, from there a link can be sent to someone's email in a phishing attack, the link in the email can contain malware.

Although, people are social, they have to go online, but they have to be careful while clicking on links. That is why I have my wallet devices, in which I also have my exchange accounts and bank account apps seperately, I do not use them to connect online at all, but only for such sensitive purposes.
hero member
Activity: 1344
Merit: 540
According to Microsoft Security Intelligence, there is a new fork malware from Loki, which is targets crypto currency wallets. It seems that cyber criminals are also forking codes to suit their needs (no pun intended).



https://twitter.com/MsftSecIntel/status/1298752223321546754

I also check anyrun is someone already run a scan on
Code:
Anubis Stealer.exe



Here is the full report: https://any.run/report/895b3b6890d192de8bc3744ce0757edb909351081744403663a9c3b04e409125/2e03f091-19a3-4d98-ba5c-0623b704a525#screenshots

Again, we should always have a good security practices;

1. never click on any suspicious links specially shortened URL's
2. update our OS
3. Train our eyes, educate ourselves, stay vigilant
4. back up our data regularly
Jump to: