New Financial Malware Targets Russian Users

The company Kaspersky Lab has warned about the emergence of new versions of financial malware, one of which, Lumma Stler, is also attacking Russian users.

  • Lumma Sting: This is an updated version of the Arkei styler, which was first discovered in May 2018. Lumma is distributed through a fake website that claims to convert .docx files to .pdf. However, when users try to open the downloaded files, they unknowingly install malware. Stler is capable of stealing cache files, configuration files, and cryptocurrency wallet logs. It can function as a browser plugin and is also compatible with the Binance application. Lumma also includes new features that were not present in previous versions of the styler, such as the ability to receive lists of system processes, improved encryption techniques, and the usage of dynamic configuration files sent by the command server.
  • Trojan Zanubis: This banking Trojan primarily targets users from Peru and disguises itself as official applications. It has been known since 2022. Zanubis gains permission to access Accessibility Services. Initially, it posed as financial and cryptocurrency services on Android, and in April 2023, it started mimicking the official application of the Peruvian National Administration of the Customs and Tax Administration (Sunat). To obfuscate its code, Zanubis uses Obfuscapk, a popular android application for obfuscating Android application files. The Trojan loads the genuine Sunat website using the WebView system component, which is responsible for opening web pages within applications. To communicate with the command server, WebSocket and Socket.io library are employed, ensuring adaptability and control. The threat of Zanubis lies in its potential for complete control over the infected device, including the ability to block the device under the guise of Android updates.
  • ASMCrypt Cryptor: Recently discovered on underground forums, ASMCrypt is an advanced version of the Doublefinger bootloader. Such tools are used to conceal the loading process of malicious software. ASMCrypt serves as a facade for services performed on the Tor network and is an enhanced version of the DOUBLEFINGER bootloader. Buyers can configure various infection methods, attack objectives, auto-loading parameters, and other VPO (Virtual Private Organization) possibilities. The malicious functionality of AS
/Reports, release notes, official announcements.