A new info stealing malware Ransomware/Anubis is now actively distributed in the wild. The malware code is forked from Loki malware. The malware is developed in c# and the authors have called it as Anubis in it’s settings, sharing the name with an unrelated family of Android banking malware.
Size: 266,240 bytes
DateTimeStamp: 22 June 2020 8:57:44 PM GMT
Anubis has code to steal system info, screen shots, passwords, browser cookies, credit card details, crypto currency wallets, lock files, etc
The domain anubis.fun where the admin panel is hosted points to 3 ipv4 addresses,
The admin panel is protected by authentication.
The site uses SSL certificate from GlobalSign.
It captures the screenshots of webcam and also the current screen.
It steals the credentials from Filezilla and Telegram applications.
It steals the web cookies stored by the web browsers. It also steals the crypto wallets of the following Crypto currencies,
It steals credit card details from web browser storage.
It steals credentials from NordVPN.
It collects following information from infected machines,
- Public IP address
- User name
- Machine name
- MAC id
- Screen resolution
- System language
- Browser versions
The collected information are send to the C2 server. The C2 URI is hard coded in the binary settings.
It steals credentials from Steam, a video game distribution software.
The ransomware (file lock) functionality doesn’t gets executed in this version, but would execute if the feature is turned on in binary settings.
The encrypted (locked) files are renamed by appending “.loki” string. The File locker module doesn’t encrypt the files with size less than 30MB.
The ransomware note is hard coded in the binary.