I recently set out to become more acquainted with Maltego, a useful program for open-source intelligence (OSINT) and forensics, developed by Paterva. I also noticed there is an ongoing campaign against Turkey using Android banking Trojans such as Anubis and Cerberus. Both are Malware-as-a-Service offerings that supply a builder and mobile remote access Trojan (MRAT) to steal credentials from Android users.
Security researchers such as @MalwareHunterTeam, @ReBensk, @pr3wtd, and @mertcangokgoz, and others have all recently shared new samples of Cerberus and Anubis targeting users in Turkey with mobile data “gifts” that are offered from their mobile carriers due to COVID-19. Various websites are registered hosting links to fake apps, which were downloaded from the threat actor’s GitLab or BitBucket repositories. These apps are Android packages (.APK) that can be distributed via SMS, instant messaging app, on Twitter, via email, and other social engineering techniques.
With the Tweets of these security researchers I compiled the indicators of compromise (IOCs) such as file hashes, domains, IP addresses, and any other useful artefacts. I then fired up Maltego and began compiling the IOCs and trying to figure out how it was all connected.
Multiple Anubis campaigns:
Cerberus GitLab campaign:
Cerberus BitBucket campaign:
Phishing lures:
Number of people targeted in these campaigns:
Additional findings:
Four of the command and control (C&C) servers during the Cerberus BitBucket campaign were registered by the same threat actor. All used the same throwaway Gmail address to register over a dozen malicious domains with the “.top” gTLD.
As previously mentioned the attackers are exploiting the lockdown due to the coronavirus with these key phrases in Turkish:- “Hediye” = Gift
– “Evde internetim var” = Have internet at home
– “Evde kal” = Stay at home
– “Indir 20GB kazan” = Download win 20GB
(Disclaimer – I only used Google translate)
Indicators of Compromise:
Filenames:
EvdeHayatVar_build_obf.apk | Covid_19.apk | EvdeKal_build_obf.apk |
evdekal_obf.apk | Covid19MobileInstall_obf.apk | Vodafone-5G.apk |
evdekal-20gb.apk | Covid-19Mobile.apk | GooglePlay.apk |
20gb-evdekal.apk | 20GBHediye.apk | 20gb_hediye_internet.apk |
30GbKazan.apk | 20gbhediyesi.apk | HayatEveSigar.apk |
hediye20gb.apk | 20gb-evde-kal.apk | SenEvdesinDiye_build_obf.apk |
20gb_hediye_internet.apk | hediye20gb.apk | hayatevesigar.apk |
evdekaliyorum.apk | basvuru_devlet_destegi.apk | evde-kal.apk |
Users:
https://bitbucket[.]org/kaankaratas12881
https://bitbucket[.]org/emreadamol34
https://gitlab[.]com/ordulkemal2
IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed here.
Sources:
Continued:
Security researchers that focus on Android threats have shared additional samples this week as part of this ongoing campaign. Some samples are directly connected, others are part of a new wave. BitBucket remains to be a preferred choice for hosting the APK files of the Android Trojans and many of the malicious domains are hosted with the GoDaddy registrar services.
Anubis campaigns:
Continued:
Phishing lures used this week:
More IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed here.
Analysis:
Turkish users continue to be targeted by the Anubis Android banking Trojan campaign, using coronavirus phishing and free mobile data “gifts” due to the lockdown. If the previous download numbers are to be believed, it is more than likely that around 4,000 people in Turkey may have unknowingly downloaded the Trojan onto their devices.
This is a serious cybercriminal campagin that is exploiting the COVID-19 pandemic. What makes these attacks all the more difficult to prevent is that Anubis is a Malware-as-a-Service platform. This means that low-skilled threat actors can purchase access and initiate attacks immediately. The only barrier to entry is usually a Bitcoin wallet to buy with.
This campaign is likely to continue exploiting the coronavirus for the forseeable future. It is a golden opportunity for threat actors to leverage in their phishing lures due to a heightened level of paranoia and uncertainty amongst the general population. As people seek for answers and the latest news on the coronavirus they fall into these attacker’s traps.
Android users should exercise caution over such threats and make sure to never download an application from a website or third-party appstore. Business devices should stick to vetted apps from the Google Play Store.
Sources:
https://twitter.com/malwrhunterteam/status/1260817120687984640
https://twitter.com/malwrhunterteam/status/1260606944882110464
https://twitter.com/ReBensk/status/1260502947680698368
https://twitter.com/ReBensk/status/1260791061301137409
https://twitter.com/ReBensk/status/1260056152965918720
https://twitter.com/ReBensk/status/1260085218364452864
https://twitter.com/ReBensk/status/1260175293009891328
https://twitter.com/ReBensk/status/1259771887598612487
https://twitter.com/SmashTheKernel/status/1259801643748667392
https://twitter.com/ni_fi_70/status/1259792444444606465