Cybercriminals continue making malware for profit, with a recent report uncovering ASMCrypt in underground forums related to the DoubleFinger loader.
In the cybercrime landscape, researchers at Securelist have also reported on new Lumma stealer and Zanubis Android banking malware versions.
Researchers discovered an ad for ASMCrypt, a cryptor/loader variant designed to avoid AV/EDR detection, resembling the DoubleFinger loader.
However, researchers strongly suspect ASMCrypt is an evolved DoubleFinger version, acting as a ‘front’ for a TOR network service, though with some differences in operation.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
New Android Banking Malware
Buyers get the ASMCrypt binary, which connects to the malware’s TOR backend using hardcoded credentials and then displays the options menu.
Here below, we have mentioned all the available options:-
- Stealth injection method
- Invisible injection method
- The process the payload should be injected into
- Folder name for startup persistence
- Either the malware itself masquerading as Apple QuickTime
- Either the malware itself masquerades as a legitimate application that sideloads the malicious DLL
Once options are chosen and the build button pressed, the app conceals an encrypted blob in a .png file to be uploaded on an image hosting site. Simultaneously, the cybercriminals create and distribute the malicious DLL or binary, reads the report.
- Lumma: This stealer is written in C++ and is also known by other names: Arkei stealer, Vidar, Oski, and Mars. It has maintained its core function of stealing crypto wallet data since May 2018. Lumma, with a 46% overlap with Arkei, is the latest variant, and it spreads via a deceptive website, posing as a .docx to .pdf converter, and first appeared in August 2022.
- Zanubis: Zanubis, an Android banking trojan, emerged in August 2022, targeting financial and cryptocurrency users in Peru. It disguises itself as legitimate Peruvian governmental organization Android apps and gains control by tricking users into granting Accessibility permissions. Recent samples appeared in April 2023, including one impersonating the official SUNAT app, showcasing evolving sophistication.
Like Lumma and Zanubis, Malware evolves with varied functionality, posing challenges for defense teams. Staying informed through intelligence reports is vital to safeguard against emerging threats and attacker tactics.
IOCs
Lumma
6b4c224c16e852bdc7ed2001597cde9d
844ab1b8a2db0242a20a6f3bbceedf6b
a09daf5791d8fd4b5843cd38ae37cf97
5aac51312dfd99bf4e88be482f734c79
d1f506b59908e3389c83a3a8e8da3276
c2a9151e0e9f4175e555cf90300b45c9
Zanubis
054061a4f0c37b0b353580f644eac554
a518eff78ae5a529dc044ed4bbd3c360
41d72de9df70205289c9ae8f3b4f0bcb
9b00a65f117756134fdb9f6ba4cef61d
8d99c2b7cf55cac1ba0035ae265c1ac5
248b2b76b5fb6e35c2d0a8657e080759
a2c115d38b500c5dfd80d6208368ff55
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.