New Malware Threatening Crypto Wallets In The Wild

Alas, a new innovation in malware has occurred, leading to a newly-formed malware going by the name of Anubis. This malware is currently out in the world wide web, circulating for sale in the dark web markets in June. This comes by way of an announcement Microsoft Security Intelligence had made. Anubis leverages forked code from the Loki malware, stealing the crypto wallet ids, credit card info, system info, and other forms of data from a device.

A new info-stealing malware we first saw being sold in the cybercriminal underground in June is now actively distributed in the wild. The malware is called Anubis and uses code forked from Loki malware to steal system info, credentials, credit card details, cryptocurrency wallets pic.twitter.com/2Q58gpSIs0

— Microsoft Security Intelligence (@MsftSecIntel) August 26, 2020

Malicious Data Stealer

It should be noted, however, that this malware stands apart from the other Anubis, which is an android banking malware. This Anubis joins the ever-increasing ranks of malware that target cryptocurrency stashes, in particular.

Tanmay Ganacharya stands as a Partner Director of Security Research at Microsoft and gave a statement about the matter at large. They explained that the malware itself gets downloaded from certain websites, sending the stolen information it gets to a command and control (C2) server. The malware does this by way of an HTTP POST command.

Stealing Everything It Can Find

HTTP POST is, in essence, a data request from the Internet itself. This is typically used when you’re uploading a file to the Internet, or otherwise submit a completed web form, as well.

Tanmay explained that, should this HTTP POST command be executed, it attempts to steal information and send it to this C2 server. He explained that this delivers sensitive information, which could possibly include login credentials saved in browsers, crypto wallet IDs, as well as credit card information.

Parham Eftekhari stands as the Executive Director of Cybersecurity Collaborative, which is a forum for professionals in cybersecurity. Parham reviewed the images that Microsoft had published on its tweets but stated that there wasn’t a whole lot of information released about this Windows Anubis malware.

Practice Standard Caution

However, it was observed that the Loki Bot, which Anubis was based on, was spread by way of social engineering emails with data attachments with the “.iso” extension. These emails pretended to be offers or orders made from other companies, and were sent to publicly available company addresses. Sometimes, the malware even managed to send it from the company’s own site, as well.

Parham stated that people should avoid any suspicious or unfamiliar email attachments or those that don’t seem expected or familiar. Furthermore, they advised for the use of anti-malware applications within their systems, scanning their systems, and keeping these applications up to date, in general.