Anubis Android银行木马技术分析及新近活动总结
背景介绍
Anubis(阿努比斯)是古埃及神话中的死神,以胡狼头、人身的形象出现在法老的壁画中。同时Anubis也是一种Android银行恶意软件,自2017年以来已经为全球100多个国家,300多家金融机构带来了相当大的麻烦。Anubis截止到目前为止,爆发地主要为欧洲国家,国内暂未发现该银行木马。
Anubis主要通过伪装成金融应用、手机游戏、购物应用、软件更新、邮件应用、浏览器应用甚至物流应用等,从而渗透进谷歌应用商店,诱骗用户下载安装。
Anubis木马功能强大,自身结合了钓鱼、远控、勒索木马的功能。Anubis通过仿冒各种应用诱骗用户安装使用,当软件被激活后,会展现给用户一个仿冒的钓鱼页面,从而获取用户敏感信息,如银行账号密码、个人身份信息等。Anubis具备一般银行木马的功能,包括屏蔽用户短信,获取转发用户短信等功能。Anubis同时可以从服务端获取远控指令,对用户手机进行进一步控制。Anubis还是第一个集成勒索软件功能的Android银行木马。Anubis功能之多、之强大,甚至可以作为间谍软件进行使用。
近期有国外安全研究者发现一款仿冒为西班牙邮政运营商Correos的恶意软件,该恶意软件运行后会释放仿冒为Google Play Service Updater V2.1的Anubis木马程序,诱骗用户安装更新。
诱饵关联
本次Anubis的载体为仿冒为西班牙邮政运营商Correos的恶意软件:
Correos官网:
经过盘古团队的Janus系统关联分析,我们发现了最新的12个Anubis载体,其图标去重后如下:
本次Anubis载体代码结构也基本相同:
样本分析
| 文件名称 | Correos Rastreo.apk |
|---|---|
| 软件名称 | Correos Rastreo |
| 软件包名 | com.consultar.rastero |
| MD5 | 04D94228021B73E44261ADCCAD4173F3 |
| 安装图标 |  |
Anubis银行木马到目前为止功能大同小异,虽然仿冒的种类繁多,但核心代码结构并未有巨大的改变。Anubis代码核心以远控为主体,钓鱼、勒索等其它功能为辐,目的则为获取用户关键信息,窃取用户财产。
仿冒为Correos的程序运行后,会诱骗用户安装更新Google Play,而该更新软件即为Anubis木马程序。
仿冒为Correos的样本运行界面:
诱骗用户安装仿冒为Google Play Service Updater V2.1的Anubis木马程序:
通过拼接字符串获取下载链接:
访问数据:
获取到的Anubis木马程序:
当Anubis木马运行后,依然延续了恶意软件的“做贼心虚”的本质,先隐藏自身,达到保护自身的目的:
通过服务器可以下发30多种指令,获取对用户手机的全面控制权,其中主要功能有,获取键盘记录、加密用户手机文件、开启VNC远程、打开指定web界面等。
获取指令及上传获取到的用户信息的URL拼接:
主要远控指令分析:
| 主要远控指令 | 指令对应的功能 |
|---|---|
| Send_GO_SMS | 向指定电话号码发送指定内容 |
| nymBePsG0 | 获取用户手机通讯录 |
| GetSWSGO | 获取用户手机短信 |
| telbookgotext= | |
| getapps | 获取用户手机已安装应用 |
| getpermissions | 获取已有的权限信息 |
| startaccessibility | 权限请求 |
| startpermission | 权限请求 |
| =ALERT| | 提示消息 |
| =PUSH| | 推送通知 |
| startAutoPush | 根据不同国家,推送不同的消息 |
| RequestPermissionGPS | 请求获取地理位置权限 |
| |ussd= | 呼叫转移 |
| |recordsound= | 录音 |
| |replaceurl= | 替换URL |
| |startapplication= | 启动指定应用 |
| getkeylogger | 获取键盘记录 |
| stopsound | 停止录音 |
| startsound | 开始录音 |
| startscreenVNC | 开启VNC远控 |
| deletefilefolder: | 删除文件 |
| downloadfile: | 下载文件 |
| opendir: | 获取文件路径 |
| startforward= | 启动呼叫转移功能到指定号码 |
| stopforward | 停止呼叫转移功能 |
| |openbrowser= | 打开浏览器 |
| |openactivity= | 启动ActivityURL,打开一个web页面 |
| |cryptokey= | 对用户手机对应文件进行加密操作 |
| |decryptokey= | 对用户手机对应文件进行解密操作 |
| getip | 获取用户IP地址 |
指令 “Send_GO_SMS”:向指定电话号码发送指定内容。
指令 “nymBePsG0”:获取用户手机通讯录。
指令 “GetSWSGO”:获取用户手机短信。
指令 “|telbookgotext=”:获取用户手机通讯录。
指令 “getapps”:获取用户手机已安装应用。
指令 “getpermissions”:获取已有的权限信息。
指令 “startaccessibility”:权限请求。
指令 “startpermission”:权限请求。
指令 “=ALERT|”:提示消息。
指令 “=PUSH|”:推送通知。
指令 “startAutoPush”:根据不同国家,推送不同的消息。
指令 “RequestPermissionGPS”:请求获取地理位置权限。
指令 “|ussd=”:呼叫转移。
指令 “|recordsound=”:录音。
指令 “|replaceurl=”:替换URL。
指令 “|startapplication=”:启动指定应用。
指令 “getkeylogger”:获取键盘记录。
指令 “stopsound”:停止录音。
指令 “startsound”:开始录音。
指令 “startscreenVNC”:开启VNC远控。
指令”deletefilefolder:”:删除文件。
指令 “downloadfile:”:下载文件。
指令 “opendir:”:获取文件路径。
指令 “startforward=”:启动呼叫转移功能到指定号码。
指令 “stopforward”:停止呼叫转移功能。
指令 “|openbrowser=”:打开浏览器。
指令 “|openactivity=”:启动ActivityURL,打开一个web页面。
指令 “|cryptokey=”:对用户手机对应文件进行加密操作。
指令 “|decryptokey=”:对用户手机对应文件进行解密操作。
指令 “getip”:获取用户IP地址。
同源分析
通过分析样本远控代码,我们可以发现其功能繁多且全面,对应不同的指令功能,我们不难理解整个木马的运作流程及各个功能的目的。值得注意的是,木马有打开WEB页面的操作,虽然目前该URL已经失效,但我们结合之前的同源样本分析结果,可以发现要打开的URL即为钓鱼页面。
同源样本中,打开推特链接:
现已失效:
同源样本中之前国外的分析结果,打开推特获取备份C2:
打开解析后的链接,即为仿冒银行的登录页面:
新发现的Anubis相比于以前的做了加固处理,但是脱壳之后代码结构与之前的没有多大改变。
经过加固的代码结构:
脱壳后的代码结构:
Anubis旧版本代码结构:
新近活动
我们对2019年后的Anubis样本进行了数据统计,以便后期可以更好的进行监控。
统计Anubis仿冒的主要图标,我们可以发现,Anubis木马主要通过仿冒一些主流的应用或者浏览器插件,诱骗用户进行更新,从而可以最大限度的迷惑用户,使木马本身可以顺利安装到用户手机中。
通过统计2019年前4个月Anubis数量变化,我们可以发现,Anubis并没有因去年在国外大规模的爆发,被谷歌进行清理封杀而彻底消失或数量减少,其仍然一直存活着而且数量并没有减少,不间断的仍然会有人中木马病毒,虽然其域名被大量封杀,但并不能说明Anubis对用户手机已没有任何威胁,我们依然要谨防新的变种出现。
通过统计主要受害国家,我们可以看到受害国家主要集中在欧美地区,而土耳其与美国受害者最多,虽然目前国内暂未发现Anubis木马病毒,但我们也不能大意:
此外附上由Threatfabric总结的,Anubis自爆发以来仿冒全球378个金融机构应用程序信息:
| Package name | Application name |
|---|---|
| MyING.be | ING Smart Banking |
| alior.bankingapp.android | Usługi Bankowe |
| at.bawag.mbanking | BAWAG P.S.K. |
| at.easybank.mbanking | easybank |
| at.easybank.securityapp | easybank Security App |
| at.easybank.tablet | easybank app |
| at.psa.app.bawag | BAWAG P.S.K. SmartPay |
| at.spardat.bcrmobile | Touch 24 Banking BCR |
| at.spardat.netbanking | ErsteBank/Sparkasse netbanking |
| at.volksbank.volksbankmobile | Volksbank Banking |
| au.com.bankwest.mobile | Bankwest |
| au.com.cua.mb | CUA |
| au.com.ingdirect.android | ING Australia Banking |
| au.com.mebank.banking | ME Bank |
| au.com.nab.mobile | NAB Mobile Banking |
| au.com.newcastlepermanent | NPBS Mobile Banking |
| au.com.suncorp.SuncorpBank | Suncorp Bank |
| biz.mobinex.android.apps.cep_sifrematik | Garanti Cep Şifrematik |
| by.st.alfa | Альфа-Бизнес Мобайл Беларусь |
| com.DijitalSahne.EnYakinHalkbank | Halkbank Nerede |
| com.FubonMobileClient | Fubon HK |
| com.MobileTreeApp | Dah Sing Bank |
| com.Plus500 | Plus500: CFD Online Trading on Forex and Stocks |
| com.SifrebazCep | Halkbank Şifrebaz Cep |
| com.abnamro.nl.mobile.payments | ABN AMRO Mobiel Bankieren |
| com.advantage.RaiffeisenBank | Raiffeisen Smart Mobile |
| com.aff.otpdirekt | OTP SmartBank |
| com.akbank.android.apps.akbank_direkt | Akbank Direkt |
| com.akbank.android.apps.akbank_direkt_tablet | Akbank Direkt Tablet |
| com.akbank.softotp | Akbank Direkt Şifreci |
| com.amazon.mShop.android.shopping | Amazon Shopping |
| com.amazon.windowshop | Amazon for Tablets |
| com.anz.android | ANZ Mobile Taiwan |
| com.anz.android.gomoney | ANZ Australia |
| com.anzspot.mobile | ANZ Spot |
| com.arubanetworks.atmanz | Atmosphere ANZ |
| com.axis.mobile | Axis Mobile- Fund Transfer,UPI,Recharge & Payment |
| com.bankaustria.android.olb | Bank Austria MobileBanking |
| com.bankia.wallet | Bankia Wallet |
| com.bankinter.launcher | Bankinter Móvil |
| com.bankofamerica.cashpromobile | CashPro® + Token |
| com.bankofqueensland.boq | BOQ Mobile |
| com.barclays.android.barclaysmobilebanking | Barclays Mobile Banking |
| com.barclays.ke.mobile.android.ui | Barclays Kenya |
| com.bawagpsk.securityapp | BAWAG P.S.K. Security App |
| com.bbva.bbvacontigo | BBVA Spain |
| com.bbva.bbvawallet | BBVA Wallet Spain. Mobile Payment |
| com.bbva.netcash | BBVA Net cash |
| com.bendigobank.mobile | Bendigo Bank |
| com.binance.dev | Binance – Cryptocurrency Exchange |
| com.binance.odapplications | Binance: Cryptocurrency & Bitcoin Exchange |
| com.bitcoin.ss.zebpayindia | Zebpay India |
| com.bitfinex.bfxapp | Bitfinex |
| com.bitmarket.trader | Aplikacja Bitmarket |
| com.blockfolio.blockfolio | Blockfolio – Bitcoin and Cryptocurrency Tracker |
| com.bmo.mobile | BMO Mobile Banking |
| com.boursorama.android.clients | Boursorama Banque |
| com.bssys.VTBClient | Mobile Client VTB |
| com.bssys.vtb.mobileclient | MobileClientVTB |
| com.btcturk | BtcTurk Bitcoin Borsası |
| com.caisseepargne.android.mobilebanking | Banque |
| com.cba.android.netbank | CommBank app for tablet |
| com.chase.sig.android | Chase Mobile |
| com.cibc.android.mobi | CIBC Mobile Banking® |
| com.citi.citimobile | Citi Mobile® |
| com.citibank.mobile.au | Citibank Australia |
| com.citibank.mobile.uk | Citi Mobile UK |
| com.clairmail.fth | Fifth Third Mobile Banking |
| com.cleverlance.csas.servis24 | SERVIS 24 Mobilni banka |
| com.cm_prod.bad | Crédit Mutuel |
| com.cm_prod.epasal | Epargne Salariale CM |
| com.cm_prod.nosactus | Crédit Mutuel – Nos Actus |
| com.cm_prod_tablet.bad | Crédit Mutuel pour Tablettes |
| com.coin.profit | Coin Profit |
| com.coinbase.android | Coinbase – Buy Bitcoin & more. Secure Wallet. |
| com.coins.bit.local | LocalBitCoins |
| com.coins.ful.bit | LocalBitCoins NEW |
| com.comarch.mobile.banking.bgzbnpparibas.biznes | Mobile BiznesPl@net |
| com.comarch.security.mobilebanking | INGBusiness |
| com.commbank.netbank | CommBank |
| com.crowdcompass.appSQ0QACAcYJ | ANZ Investor Tour |
| com.crypter.cryptocyrrency | Crypto App – Widgets, Alerts, News, Bitcoin Prices |
| com.csam.icici.bank.imobile | iMobile by ICICI Bank |
| com.db.mm.deutschebank | Meine Bank |
| com.db.mm.norisbank | norisbank App |
| com.db.pwcc.dbmobile | Deutsche Bank Mobile |
| com.dbs.hk.dbsmbanking | DBS digibank Hong Kong |
| com.de.dkb.portalapp | DKB-Banking |
| com.ebay.mobile | Fashion & Tech Deals – Shop, Sell & Save with eBay |
| com.edsoftapps.mycoinsvalue | My CryptoCoins Portfolio – All Coins |
| com.empik.empikapp | Empik |
| com.empik.empikfoto | Empik Foto |
| com.entersekt.authapp.sparkasse | S-ID-Check |
| com.fi6122.godough | TSB Mobile |
| com.finansbank.mobile.cepsube | QNB Finansbank Cep Şubesi |
| com.finanteq.finance.ca | CA24 Mobile |
| com.fragment.akbank | Akbank Sanat |
| com.fusion.ATMLocator | People’s Choice Credit Union |
| com.garanti.cepbank | Garanti CepBank |
| com.garanti.cepsubesi | Garanti Mobile Banking |
| com.garantibank.cepsubesiro | GarantiBank |
| com.garantiyatirim.fx | Garanti FX Trader |
| com.getingroup.mobilebanking | Getin Mobile |
| com.grppl.android.shell.BOS | Bank of Scotland Mobile Banking: secure on the go |
| com.grppl.android.shell.CMBlloydsTSB73 | Lloyds Bank Mobile Banking |
| com.grppl.android.shell.halifax | Halifax: the banking app that gives you extra |
| com.hangseng.rbmobile | Hang Seng Personal Banking |
| com.htsu.hsbcpersonalbanking | HSBC Mobile Banking |
| com.idamob.tinkoff.android | Tinkoff |
| com.idbi.mpassbook | IDBI Bank mPassbook |
| com.idbibank.abhay_card | Abhay by IDBI Bank Ltd |
| com.ideomobile.hapoalim | בנק הפועלים – ניהול החשבון |
| com.ifs.banking.fiid4202 | TSBBank Mobile Banking |
| com.imb.banking2 | IMB.Banking |
| com.infonow.bofa | Bank of America Mobile Banking |
| com.infrasofttech.indianBank | IndPay |
| com.ing.diba.mbbr2 | ING-DiBa Banking + Brokerage |
| com.ing.mobile | ING Bankieren |
| com.ingbanktr.ingmobil | ING Mobil |
| com.isis_papyrus.raiffeisen_pay_eyewdg | Raiffeisen ELBA |
| com.jackpf.blockchainsearch | Bitcoin Blockchain Explorer |
| com.jamalabbasii1998.localbitcoin | Local BitCoin |
| com.jiffyondemand.user | Jiffy |
| com.konylabs.capitalone | Capital One® Mobile |
| com.kryptokit.jaxx | Jaxx Blockchain Wallet |
| com.kutxabank.android | Kutxabank |
| com.kuveytturk.mobil | Mobil Şube |
| com.latuabanca_tabperandroid | La tua banca per Tablet |
| com.latuabancaperandroid | Intesa Sanpaolo Mobile |
| com.localbitcoins.exchange | LocalBitcoins – Buy and sell Bitcoin |
| com.localbitcoinsmbapp | LocalBitCoins Official |
| com.lynxspa.bancopopolare | YouApp |
| com.magiclick.FinansPOS | FinansPOS |
| com.magiclick.odeabank | Odeabank |
| com.mal.saul.coinmarketcap | Coin Market-Bitcoin Prices,Currencies,BTC,EUR,ICO |
| com.matriksdata.finansyatirim | QNB Finansinvest |
| com.matriksdata.ziraatyatirim.pad | Ziraat Trader HD |
| com.matriksmobile.android.ziraatTrader | Ziraat Trader |
| com.mobikwik_new | Mobile Recharge,Bill Payments,UPI & Money Transfer |
| com.mobillium.papara | Papara Cüzdan |
| com.moneybookers.skrillpayments | Skrill |
| com.moneybookers.skrillpayments.neteller | NETELLER |
| com.monitise.isbankmoscow | ISBANK Online |
| com.mtel.androidbea | BEA 東亞銀行 |
| com.mycelium.wallet | Mycelium Bitcoin Wallet |
| com.oxigen.oxigenwallet | Bill Payment & Recharge,Wallet |
| com.palatine.android.mobilebanking.prod | ePalatine Particuliers |
| com.paypal.android.p2pmobile | PayPal Cash App: Send and Request Money Fast |
| com.phyder.engage | RBS |
| com.plunien.poloniex | Poloniex |
| com.portfolio.coinbase_tracker | Coinbase Tracker (3rd party) |
| com.pozitron.albarakaturk | Albaraka Mobil Şube |
| com.pozitron.iscep | İşCep |
| com.pozitron.vakifbank | VakıfBank Cep Şifre |
| com.quickmobile.anzirevents15 | ANZ Investor Relations Events |
| com.rbc.mobile.android | RBC Mobile |
| com.rbs.mobile.android.natwest | NatWest Mobile Banking |
| com.rbs.mobile.android.natwestbandc | NatWest Business Banking |
| com.rbs.mobile.android.natwestoffshore | NatWest International |
| com.rbs.mobile.android.rbs | Royal Bank of Scotland Mobile Banking |
| com.rbs.mobile.android.rbsbandc | RBS Business Banking |
| com.rbs.mobile.android.ubr | Ulster Bank RI Mobile Banking |
| com.rbs.mobile.investisir | RBS Investor & Media Relations |
| com.redrockdigimark | QNB National Day |
| com.rsi | ruralvía |
| com.santander.app | Santander Brasil |
| com.sbi.SBIFreedomPlus | SBI Anywhere Personal |
| com.scb.breezebanking.hk | SC Mobile Hong Kong |
| com.scotiabank.mobile | Scotiabank Mobile Banking |
| com.snapwork.IDBI | IDBI Bank GO Mobile+ |
| com.snapwork.hdfc | HDFC Bank MobileBanking |
| com.softtech.isbankasi | İşTablet |
| com.softtech.iscek | ÇEKSOR |
| com.sovereign.santander | Santander Bank US |
| com.starfinanz.mobile.android.pushtan | S-pushTAN |
| com.starfinanz.smob.android.sbanking | Sparkasse+ Finanzen im Griff |
| com.starfinanz.smob.android.sfinanzstatus | Sparkasse Ihre mobile Filiale |
| com.starfinanz.smob.android.sfinanzstatus.tablet | Sparkasse fürs Tablet |
| com.suntrust.mobilebanking | SunTrust Mobile App |
| com.targo_prod.bad | TARGOBANK Mobile Banking |
| com.td | TD Canada |
| com.teb | CEPTETEB |
| com.tecnocom.cajalaboral | Banca Móvil Laboral Kutxa |
| com.thunkable.android.manirana54.LocalBitCoins | LocalBitCoins |
| com.thunkable.android.manirana54.LocalBitCoins_unblock | UNBLOCK Local BitCoins |
| com.thunkable.android.santoshmehta364.UNOCOIN_LIVE | UNOCOIN LIVE |
| com.tmob.denizbank | MobilDeniz |
| com.tmob.tabletdeniz | MobilDeniz Tablet |
| com.tmobtech.halkbank | Halkbank Mobil |
| com.tnx.apps.coinportfolio | Coin Portfolio for Bitcoin & Altcoin tracker |
| com.triodos.bankingnl | Triodos Bankieren NL |
| com.unicredit | Mobile Banking UniCredit |
| com.unionbank.ecommerce.mobile.android | Union Bank Mobile Banking |
| com.unionbank.ecommerce.mobile.commercial.legacy | Union Bank Commercial Clients |
| com.unocoin.unocoinmerchantPoS | Unocoin Merchant PoS |
| com.unocoin.unocoinwallet | Unocoin Wallet |
| com.usaa.mobile.android.usaa | USAA Mobile |
| com.usbank.mobilebanking | U.S. Bank |
| com.vakifbank.mobile | VakıfBank Mobil Bankacılık |
| com.veripark.ykbaz | YapıKredi Azərbaycan MobilBank |
| com.vipera.ts.starter.QNB | QNB Mobile |
| com.vtb.mobilebank | VTB Mobile Georgia |
| com.wellsFargo.ceomobile | Wells Fargo CEO Mobile® |
| com.wf.wellsfargomobile | Wells Fargo Mobile |
| com.wf.wellsfargomobile.tablet | Wells Fargo for Tablet |
| com.yinzcam.facilities.verizon | Capital One Arena Mobile |
| com.ykb.android | Yapı Kredi Mobile |
| com.ykb.android.mobilonay | Yapı Kredi Corporate-For Firms |
| com.ykb.androidtablet | Yapı Kredi Mobil Şube |
| com.ykb.avm | Yapı Kredi Cüzdan |
| com.yurtdisi.iscep | JSC İŞBANK |
| com.ziraat.ziraatmobil | Ziraat Mobil |
| com.ziraat.ziraattablet | Ziraat Tablet |
| cz.airbank.android | My Air |
| cz.csob.smartbanking | ČSOB SmartBanking |
| cz.sberbankcz | Smart Banking |
| de.comdirect.android | comdirect mobile App |
| de.commerzbanking.mobil | Commerzbank Banking App |
| de.consorsbank | Consorsbank |
| de.dkb.portalapp | DKB-Banking |
| de.fiducia.smartphone.android.banking.vr | VR-Banking |
| de.fiducia.smartphone.android.securego.vr | VR-SecureGo |
| de.postbank.finanzassistent | Postbank Finanzassistent |
| de.schildbach.wallet | Bitcoin Wallet |
| es.bancopopular.nbmpopular | Popular |
| es.bancosantander.apps | Santander |
| es.cm.android | Bankia |
| es.cm.android.tablet | Bankia Tablet |
| es.evobanco.bancamovil | EVO Banco móvil |
| es.lacaixa.mobile.android.newwapicon | CaixaBank |
| eu.eleader.mobilebanking.invest | plusbank24 |
| eu.eleader.mobilebanking.pekao | Pekao24Makler |
| eu.eleader.mobilebanking.pekao.firm | PekaoBiznes24 |
| eu.eleader.mobilebanking.raiffeisen | Mobile Bank |
| eu.inmite.prj.kb.mobilbank | Mobilni Banka |
| eu.newfrontier.iBanking.mobile.Halk.Retail | Halkbank Mobile App |
| eu.unicreditgroup.hvbapptan | HVB Mobile B@nking |
| finansbank.enpara | Enpara.com Cep Şubesi |
| finansbank.enpara.sirketim | Enpara.com Şirketim Cep Şubesi |
| fr.axa.monaxa | Mon AXA |
| fr.banquepopulaire.cyberplus | Banque Populaire |
| fr.creditagricole.androidapp | Ma Banque |
| fr.laposte.lapostemobile | La Poste – Services Postaux |
| fr.laposte.lapostetablet | La Poste HD – Services Postaux |
| fr.lcl.android.customerarea | Mes Comptes – LCL |
| hdfcbank.hdfcquickbank | HDFC Bank MobileBanking LITE |
| hk.com.hsbc.hsbchkmobilebanking | HSBC HK Mobile Banking |
| hr.asseco.android.jimba.mUCI.ro | Mobile Banking |
| in.co.bankofbaroda.mpassbook | Baroda mPassbook |
| info.blockchain.merchant | Blockchain Merchant |
| io.getdelta.android | Delta – Bitcoin & Cryptocurrency Portfolio Tracker |
| it.bnl.apps.banking | BNL |
| it.bnl.apps.enterprise.bnlpay | BNL PAY |
| it.bpc.proconl.mbplus | MB+ |
| it.copergmps.rt.pf.android.sp.bmps | Banca MPS |
| it.gruppocariparma.nowbanking | Nowbanking |
| it.ingdirect.app | ING DIRECT Italia |
| it.nogood.container | UBI Banca |
| it.popso.SCRIGNOapp | SCRIGNOapp |
| it.secservizi.mobile.atime.bpaa | Volksbank per tablet |
| it.volksbank.android | Volksbank · Banca Popolare |
| jp.co.aeonbank.android.passbook | イオン銀行通帳アプリ かんたんログイン&残高・明細の確認 |
| jp.co.netbk | 住信SBIネット銀行 |
| jp.co.rakuten_bank.rakutenbank | 楽天銀行 -個人のお客様向けアプリ |
| jp.co.sevenbank.AppPassbook | App Bankbook |
| jp.co.smbc.direct | 三井住友銀行アプリ |
| jp.mufg.bk.applisp.app | 三菱UFJ銀行 |
| me.doubledutch.hvdnz.cbnationalconference2016 | CB Conference 2018 |
| mobi.societegenerale.mobile.lappli | L’Appli Société Générale |
| mobile.santander.de | Santander Mobile Banking |
| net.bnpparibas.mescomptes | Mes Comptes BNP Paribas |
| nl.asnbank.asnbankieren | ASN Mobiel Bankieren |
| nl.snsbank.mobielbetalen | SNS Mobiel Betalen |
| nz.co.anz.android.mobilebanking | ANZ goMoney New Zealand |
| nz.co.asb.asbmobile | ASB Mobile Banking |
| nz.co.bnz.droidbanking | BNZ Mobile |
| nz.co.kiwibank.mobile | Kiwibank Mobile Banking |
| nz.co.westpac | Westpac One (NZ) Mobile Banking |
| org.banksa.bank | BankSA Mobile Banking |
| org.bom.bank | Bank of Melbourne Mobile Banking |
| org.stgeorge.bank | St.George Mobile Banking |
| org.westpac.bank | Westpac Mobile Banking |
| piuk.blockchain.android | Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum |
| pl.aliorbank.aib | Alior Bank |
| pl.allegro | Allegro |
| pl.bosbank.mobile | BOŚBank24 |
| pl.bph | BusinessPro Lite |
| pl.bps.bankowoscmobilna | BPS Mobilnie |
| pl.bzwbk.bzwbk24 | Santander mobile |
| pl.bzwbk.ibiznes24 | iBiznes24 mobile |
| pl.bzwbk.mobile.tab.bzwbk24 | BZWBK24 mobile (tablet) |
| pl.ceneo | Ceneo – zakupy i promocje |
| pl.com.rossmann.centauros | Rossmann PL |
| pl.fmbank.smart | Nest Bank |
| pl.ideabank.mobilebanking | Idea Bank PL |
| pl.ing.mojeing | Moje ING mobile |
| pl.ipko.mobile | Token iPKO |
| pl.mbank | mBank PL |
| pl.millennium.corpApp | Bank Millennium for Companies |
| pl.orange.mojeorange | Mój Orange |
| pl.pkobp.iko | IKO |
| pl.pkobp.ipkobiznes | iPKO biznes |
| posteitaliane.posteapp.apppostepay | Postepay |
| ro.btrl.mobile | Banca Transilvania |
| ru.alfabank.mobile.android | Альфа-Банк (Alfa-Bank) |
| ru.alfabank.oavdo.amc | Альфа-Бизнес |
| ru.alfabank.sense | Sense от Альфа-Банка |
| ru.alfadirect.app | Alfa-Direct |
| ru.bm.mbm | ВТБ Банк Москвы |
| ru.mw | QIWI Wallet |
| ru.sberbank.mobileoffice | Сбербанк Бизнес Онлайн |
| ru.sberbank.sberbankir | Sberbank IR |
| ru.sberbank.spasibo | Спасибо от Сбербанка |
| ru.sberbank_sbbol | Сбербанк Бизнес Онлайн |
| ru.sberbankmobile | Сбербанк Онлайн |
| ru.tcsbank.c2c | Card 2 Card |
| ru.tinkoff.goabroad | FSSP FNS Russia |
| ru.tinkoff.mgp | Tinkoff Play: apply for a card |
| ru.tinkoff.sme | Тинькофф Бизнес |
| ru.vtb24.mobilebanking.android | VTB-Online |
| sk.sporoapps.accounts | Účty |
| sk.sporoapps.skener | Platby |
| src.com.idbi | IDBI Bank GO Mobile |
| tr.com.hsbc.hsbcturkey | HSBC Turkey |
| tr.com.sekerbilisim.mbank | ŞEKER MOBİL ŞUBE |
| tr.com.tradesoft.tradingsystem.gtpmobile.halk | Halk Trade |
| uk.co.bankofscotland.businessbank | Bank of Scotland Business Mobile Banking |
| uk.co.santander.businessUK.bb | Business Banking |
| uk.co.santander.santanderUK | Santander Mobile Banking |
| wit.android.bcpBankingApp.millenniumPL | Bank Millennium |
| wos.com.zebpay | Zebpay Calculator – Profit/Loss Management |
| zebpay.Application | Zebpay Bitcoin and Cryptocurrency Exchange |
| aib.ibank.android | AIB Mobile |
| com.att.myWireless | myAT&T |
| com.bbnt | BB&T PlanTrac Mobile |
| com.bestbuy.android | Best Buy |
| com.discoverfinancial.mobile | Discover Mobile |
| com.eastwest.mobile | EastWest Mobile |
| com.fi6256.godough | Commercial Bank for Android |
| com.fi6543.godough | Community Bank NA Mobile |
| com.fi6665.godough | Fifth District Mobile Banking |
| com.fi9228.godough | CNB Mobile Banking |
| com.fi9908.godough | First US Bank Anywhere Access |
| com.fuib.android.spot.online | PUMB Online |
| com.idamobile.android.hcb | Мобильный банк – Хоум Кредит |
| com.ifs.banking.fiid1369 | Fulton Bank Mobile Banking |
| com.ifs.mobilebanking.fiid3919 | Associated Credit Union Mobile |
| com.jackhenry.rockvillebankct | United Bank – Mobile Banking |
| com.jackhenry.washingtontrustbankwa | WTB Mobile |
| com.jpm.sig.android | J.P. Morgan Mobile |
| com.sterling.onepay | Sterling OnePay |
| com.svb.mobilebanking | SVB Mobile Banking-Commercial |
| com.ukrsibbank.client.android | UKRSIB online |
| com.vkontakte.android | VK |
| com.vzw.hss.myverizon | My Verizon |
| logo.com.mbanking | ПСБ |
| org.usemployees.mobile | U.S. Employees Credit Union |
| pinacleMobileiPhoneApp.android | PINACLE® |
| ru.alfabank.mobile.ua.android | Alfa-Mobile Ukraine |
| ru.avangard | Банк Авангард |
| ru.rosbank.android | ROSBANK Online |
| ru.simpls.brs2.mobbank | Моб. банк Русский Стандарт |
| ru.simpls.mbrd.ui | МТС Банк |
| ru.taxovichkof.android | TaxovichkoF: order a taxi in St Petersburg online |
| ua.aval.dbo.client.android | Raiffeisen Online Ukraine |
| ua.com.cs.ifobs.mobile.android.otp | OTP Smart |
| ua.com.cs.ifobs.mobile.android.pivd | Pivdenny MyBank |
| ua.oschadbank.online | Ощад 24/7 |
| ua.privatbank.ap24 | Privat24 |
| xmr.org.freewallet.app | Monero Wallet |
| com.ubercab | Uber |
| com.avito.android | Объявления Авито: авто, работа, квартиры, вещи |
| com.instagram.android | |
| com.openbank | Банк Открытие |
| com.twitter.android | |
| com.viber.voip | Viber Messenger |
| com.whatsapp | WhatsApp Messenger |
| org.telegram.messenger | Telegram |
| ru.auto.ara | Авто.ру: купить и продать авто |
| ru.ok.android | OK |
| ru.rutaxi.vezet | Везёт – заказ такси онлайн |
| ru.yandex.taxi | Yandex.Taxi Ride-Hailing Service |
| cb.ibank | УБРиР |
| com.bifit.mobile.otpbank | ОТПбизнес |
| com.bifit.mobile.ubrr | УБРиР Pro |
| com.bifit.mobile.zenit | ЗЕНИТ Бизнес |
| com.bssys.mbcphone.akbars | АК БАРС Мобильный для Бизнеса |
| com.bssys.mbcphone.mts | MTS Bank. Business Client |
| com.bssys.mbcphone.rsbank | РС Бизнес Онлайн |
| com.bssys.mbcphone.ubrir | УБРиР Light |
| com.bssys.mbcphone.vostochny | Восточный Корпоративный |
| com.citibank.mobile.ru | Citibank RU |
| com.isimplelab.ibank.kazan | Банк Казани |
| com.isimplelab.isimpleceo.kazan | БК Бизнес |
| com.isimplelab.isimpleceo.minb | МИнБанк Бизнес |
| cz.bsc.rc | Ренессанс Кредит |
| ru.akbars.mobile | Ак Барс Онлайн 3.0 |
| ru.avangard.legal | Авангард Бизнес |
| ru.bankuralsib.mb.android | Мобильный банк УРАЛСИБ |
| ru.beeline.card | Карта Билайн |
| ru.bspb | BSPB Mobile |
| ru.ftc.faktura.expressbank | Восточный мобайл |
| ru.gazprombank.android.mobilebank.app | Телекард 2.0 |
| ru.kykyryza | Кукуруза |
| ru.mdm.app | Бинбанк Бизнес |
| ru.minbank.android | МИнБ |
| ru.mkb.business | МКБ Бизнес |
| ru.mkb.mobile | МКБ Мобайл |
| ru.otpbank | ОТПкредит |
| ru.psbank.msb.dev.psb_appstore | PSB Мой Бизнес |
| ru.raiffeisen.android.rbo | Райффайзен Бизнес |
| ru.raiffeisennews | Raiffeisen Online Russia |
| ru.rocketbank.r2d2 | Рокетбанк |
| ru.rshb.dbo | Мобильный банк, Россельхозбанк |
| ru.rshb.dboul | Россельхозбанк Бизнес-Онлайн |
| ru.skbbank.ib | СКБ Онлайн |
| ru.skbbank.ibank | СКБ-банк |
| ru.stepup.MDMmobileBank | Бинбанк online 2.0 |
| ru.ucb.android | Mobile.UniCredit |
| ru.vtb24.biz.client.android | ВТБ Бизнес Онлайн |
| ru.zenit.android | ЗЕНИТ Онлайн 2.0 |
| de.ingdiba.bankingapp | ING-DiBa Banking to go |
| btc.org.freewallet.app | Bitcoin Wallet by Freewallet |
| com.alibaba.aliexpresshd | AliExpress – Smarter Shopping, Better Living |
| com.bitcoin.mwallet | Bitcoin Wallet |
| com.bitpay.wallet | BitPay – Secure Bitcoin Wallet |
| com.blocktrail.mywallet | BTC.com – Bitcoin Wallet |
| com.booking | Booking.com Travel Deals |
| com.electroneum.mobile | Electroneum |
| com.gettaxi.android | Gett |
| com.google.android.play.games | Google Play Games |
| com.samsung.android.spay | Samsung Pay |
| io.totalcoin.wallet | Bitcoin Wallet Totalcoin – Buy and Sell Bitcoin |
| ru.aviasales | Aviasales — авиабилеты дешево |
| ru.tutu.tutu_emp | Tutu.ru – flights, Russian railway and bus tickets |
| ru.yandex.money | Yandex.Money—wallet, cards, transfers, and fines |
| com.google.android.apps.walletnfcrel | Google Pay |
总结
Anubis自爆发以来,其主要活动区域在欧美等地,虽然目前国内暂时没有发现此类银行木马,但其代码字符串混淆中,含有中文混淆方案,所以依然值得我们警惕。
Anubis主要以渗透进入谷歌商店为主要传播平台,木马本身以仿冒金融机构、主流应用程序、浏览器插件为主要伪装手段。
Anubis是结合了钓鱼、远控、勒索等功能的银行木马,其功能强大到甚至可以作为一款间谍软件的存在。虽然谷歌商店一直在清理相关恶意木马,但仍然有残留的软件在活跃,此次西班牙发现Anubis通过仿冒邮政运营商Correos进行传播,也说明了Anubis一直都在并没有消失,而且其数量也并没有减少,所以我们依然要对Anubis木马提高警惕,我们也会时刻关注Anubis最新变种的出现。
IOC
| MD5 |
|---|
| 3D3EC2C2F81FE4EE582DCA2E69752EE1 |
| 04D94228021B73E44261ADCCAD4173F3 |
| D2C8F0D197A14EEFBDB9643DDB898477 |
| e5141d3f2a3bd6ecf64089401b015f0c |
| 1e8870eb6f141df9b8d9f4dd295188be |
| d045e6d5c9b493dbe35aa4cb94652072 |
| e6ab7d099bd4f01eca83075c55eb94e1 |
| 9c7187266b2c881570cdf69af714252b |
| 0943a47985a0b33018877676cfef6c47 |
| 6bb24ad97a777a6ced82199fa3d2e656 |
| 3590baefdcf54c69e0a363b8adaf74b9 |
| 7b7f0041263f4a6bf3d648e19e8f5201 |
| 02dd7a6fb1fc0587bdd85cc267c733a4 |
| 390674bdb17d77c9b32bd7780a176f4c |
| 4fbeaa50b11bf58418efc8ee9eb1e2aa |
| 93f3c95243b347f446a54ce219307bec |
| 0ff2626fe3a449ba0ee97e68d87c9249 |
| 7ebe35cbf1eff3702f06e54a432e6f39 |
| a519c9d681a76702cd5827a428e2fbdc |
| 5425eb81ac515a2ee169cf748b00badb |
| 6d15674a905941be2675ec1b4c658d94 |
| 35967f792d7f0e0fad821a34e720731e |
| 0135026d9f4fb41466e44abcb3e03752 |
| dc4db1997889d2aeea18e60ee6d0f9e4 |
| 17091e2d6af45fc65c46c4a5d9a54de2 |
| 53035f67f5f07bf39856f02589727b30 |
| bcb2f691e6291e80f97dcdbece8bef4f |
| fb6ee9be6feaf5784e9f6ab3f8751b07 |
| 6c8e24bb040abe91f99f0624eba68615 |
| e29f8dbba94d6402d03d06c8308dcd03 |
| ac0e66262d431a170f2ab9cef2a96dd1 |
| ba5daf527a6efcc8223812961267960c |
| df98cd6a1200a8f51791b2f06aabad88 |
| 68c72bdd2c3289613a0b649c5f67c066 |
| 028336c0f5360d9c635ff0ecc6a6b528 |
| 659aebc9b8e9a6f447ef6343893643c6 |
| 91b7f1fa55cf08adee79116d76bf4dc4 |
| 01bc9a13dd0b091b2ddce9ee2e682c0c |
| fd5010347cd2157604caa990f1454800 |
| ae0bd650536ac6dcc1e98978293e5926 |
| aa8202f424ad998c36c4b91d7db2a5ec |
| C778267F160B97CBB4A970F837C61FF9 |
| dfeae0b92e2addac132ce0a941bc9651 |
| c1419376bfbd84b94b1547003706e89d |
| a8b8eb22302139a0a76b8ff16bb589c6 |
| C&C |
|---|
| hxxps://twitter.com/wadaishere5 |
| hxxps://twitter.com/wadaishere11 |
| hxxps://twitter.com/scotyhall |
| hxxps://twitter.com/ruyas_s |
| hxxps://twitter.com/qweqweqwe |
| hxxps://twitter.com/PelinSN10495193 |
| hxxps://twitter.com/mrzabibus |
| hxxps://twitter.com/force19994 |
| hxxps://twitter.com/Donald19532 |
| hxxps://twitter.com/Alexey31405753 |
| hxxps://t.me/appqltkjsaa |
| hxxps://nasistemeafk.sc.ug |
| hxxps://188dyz.com/sett |
| hxxp://wadascx1wesa.club/admin_panel |
| hxxp://wadaishere.tk/admin_panel |
| hxxp://translationutility.tk |
| hxxp://services32.website |
| hxxp://schvhost.us |
| hxxp://sasaz.ru |
| hxxp://mining.ltd.ua |
| hxxp://colbrte.top |
| hxxp://batikantognas.com.tr |
| hxxp://aktivierung-342675-deustchland-services.ru |
| hxxp://45.76.42.67 |
| hxxp://185.254.121.24 |
| hxxp://185.235.128.44 |
| hxxp://185.139.70.135 |
| hxxp://181.174.166.106 |
| 87600.ooo |
| 12313.ooo |
*本文作者:奇安信威胁情报中信,转载来自FreeBuf
打赏我,让我更有动力~
0 条回复
|
直到 2019-5-11 |
5030 次浏览
登录后才可发表内容
返回:技术文章投稿区
漏洞文章
