{
	"id": "5c202025-88ff-45d6-8052-f18a404e1313",
	"created_at": "2026-04-06T00:21:48.182898Z",
	"updated_at": "2026-04-10T03:22:04.577403Z",
	"deleted_at": null,
	"sha1_hash": "d2602e3694519f74ce759fde11fc2a195ae76d4f",
	"title": "A cryptor, a stealer and a banking trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 155472,
	"plain_text": "A cryptor, a stealer and a banking trojan\r\nBy GReAT\r\nPublished: 2023-09-28 · Archived: 2026-04-05 14:35:27 UTC\r\nIntroduction\r\nAs long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making\r\nmalware, we’ll keep analyzing it, publishing reports and providing protection. Last month we covered a wide\r\nrange of cybercrime topics. For example, we published a private report on a new malware found on underground\r\nforums that we call ASMCrypt (related to the DoubleFinger loader). But there’s more going on in the cybercrime\r\nlandscape, so we also published reports on new versions of the Lumma stealer and Zanubis Android banking\r\ntrojan. This blog post contains excerpts from those reports.\r\nIf you want to learn more about our crimeware reporting service, please contact us at\r\ncrimewareintel@kaspersky.com.\r\nASMCrypt\r\nAs mentioned in our previous blog post, we monitor many underground forums. On one of them we saw an ad,\r\npromoting a new cryptor/loader variant called ASMCrypt. The idea behind this type of malware is to load the final\r\npayload without the loading process or the payload itself being detected by AV/EDR, etc. This sounds a lot like the\r\nDoubleFinger loader we discussed here.\r\nIn fact, after careful analysis, we believe with a high degree of confidence that ASMCrypt is an evolved version of\r\nDoubleFinger. However, ASMCrypt works slightly differently and is more of a “front” for the actual service that\r\nruns on the TOR network.\r\nSo how does it work? First the buyer obtains the ASMCrypt binary, which connects to the malware’s backend\r\nservice over the TOR network using hardcoded credentials. If everything is okay, the options menu is shown:\r\nhttps://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nPage 1 of 6\n\nThe buyer can choose from the following options:\r\nStealth or invisible injection method;\r\nThe process the payload should be injected into;\r\nFolder name for startup persistence;\r\nStub type: either the malware itself masquerading as Apple QuickTime, or a legitimate application that\r\nsideloads the malicious DLL.\r\nAfter selecting all the desired options and pressing the build button, the application creates an encrypted blob\r\nhidden inside a .png file. This image must be uploaded to an image hosting site. The malicious DLL (or binary)\r\nfrom the last bullet point above is also created and will be distributed by the cybercriminals.\r\nWhen the malicious DLL is executed on a victim system, it downloads the .png file, decrypts it, loads it into\r\nmemory and then executes it.\r\nLumma\r\nThe Arkei stealer, written in C++, first appeared in May 2018 and has been forked/rebranded several times over\r\nthe last couple of years. It has been known as Vidar, Oski, Mars and now Lumma, which has a 46% overlap with\r\nArkei. Over time, the main functionality of all the variants has remained the same: stealing cached files,\r\nconfiguration files and logs from crypto wallets. It can do this by acting as a browser plugin, but it also supports\r\nthe standalone Binance application.\r\nBut first the infection vector. Lumma is distributed via a spoofed website that mimics a legitimate .docx to .pdf\r\nsite. When a file is uploaded, it is returned with the double extension .pdf.exe.\r\nLumma itself first appeared on our radar in August 2022, when we detected new samples. Around the same time,\r\ncybersecurity enthusiast Fumik0_ tweeted that Lumma was a “fork/refactor” of Mars. Since then, Lumma has\r\nhttps://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nPage 2 of 6\n\nundergone a number of changes, some of which we will highlight below:\r\nWe found only one sample (MD5 6b4c224c16e852bdc7ed2001597cde9d) that had the functionality to\r\ncollect the system process list. The same sample also used a different URL to communicate with the C2\r\n(/winsock instead of /socket.php);\r\nWe also found one sample (MD5 844ab1b8a2db0242a20a6f3bbceedf6b) that appears to be a debugging\r\nversion. When certain code fragments are reached, a notification is sent to the C2. Again, it uses a different\r\nURL (/windbg).\r\nIn a more recent sample (MD5 a09daf5791d8fd4b5843cd38ae37cf97), the attackers changed the User-Agent field to “HTTP/1.1”. It is unclear why this was done;\r\nWhile all previous samples, including the three mentioned above, downloaded additional libraries from the\r\nC2 for 32-bit systems so that specific browser-related files (e.g. passwords and the like) could be parsed,\r\nMD5 5aac51312dfd99bf4e88be482f734c79 simply uploads the entire database to the C2;\r\nMD5 d1f506b59908e3389c83a3a8e8da3276 has a string encryption algorithm. They are now hex encoded\r\nand encrypted with an XOR key (first 4 bytes of the string).\r\nOne of the biggest changes we saw involved MD5 c2a9151e0e9f4175e555cf90300b45c9. This sample\r\nsupports dynamic configuration files retrieved from the C2. The configuration is Base64 encoded and\r\nXORed with the first 32 bytes of the configuration file.\r\nhttps://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nPage 3 of 6\n\nCode snippet of the “debugging” sample\r\nZanubis\r\nZanubis, an Android banking trojan, first appeared around August 2022, targeting financial institution and\r\ncryptocurrency exchange users in Peru. Zanubis’s main infection path is through impersonating legitimate\r\nPeruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to\r\ntake full control of the device.\r\nWe spotted more recent samples of Zanubis  in the wild around April 2023. The malware was disguised as the\r\nofficial Android application for the Peruvian governmental organization SUNAT (Superintendencia Nacional de\r\nAduanas y de Administración Tributaria). We explored the new design and features of the malware, which seemed\r\nto have undergone several phases of evolution to reach a new level of sophistication.\r\nZanubis is obfuscated with the help of Obfuscapk, a popular obfuscator for Android APK files. After the victim\r\ngrants Accessibility permissions to the malicious app, thus allowing it to run in the background, the malware uses\r\nWebView to load a legitimate SUNAT website used for looking up debts. The intention here is to lead the\r\nunsuspecting user to believe that the app is part of the SUNAT ecosystem of services.\r\nCommunication with the C2 relies on WebSockets and the library called Socket.IO. The latter allows the malware\r\nto establish a persistent connection to the C2, which provides failover options (from WebSockets to HTTP and\r\nvice versa). Another advantage is that it provides the C2 with a scalable environment where all new infections by\r\nZanubis can receive commands (also called events) on a massive scale from the C2 if required. Once the malware\r\nstarts, the implant calls a function to check the connection to the C2. It establishes two connections to the same C2\r\nserver, but they perform different types of actions, and the second connection is established only if requested by\r\nthe C2.\r\nIntentionally, Zanubis doesn’t count with a pre-populated and hardcoded list of applications to target. In recent\r\nyears, malware developers have tended to add or remove the names of applications from the target list. To set the\r\ntargeted applications on the implant, the C2 sends the event config_packages. The JSON object sent with the event\r\ncontains an array specifying the applications that the malware should monitor. The malware parses the list of\r\ntargeted applications each time an event occurs on the screen, such as an app opening, which the malware detects\r\nusing the onAccessibilityEvent function. Once an application on the list is found running on the device, Zanubis\r\ntakes one of two actions, depending on its configuration, to steal the victim’s information: logging events/keys, or\r\nrecording the screen.\r\nPreviously, we mentioned initializing the second connection from the infected device, which provides further\r\noptions for the C2. After Zanubis establishes this new connection, it sends a VncInit event to the server to inform\r\nit that initialization of the second feature set is complete, and it will send information about screen rendering, such\r\nas the display size, every second. We can assume that this is a way for the operators to take control of, or\r\nbackdoor, the infected phone.\r\nAn interesting feature in the second set is the bloqueoUpdate event. This is one of the most invasive – and\r\npersuasive – actions taken by the malware: it pretends to be an Android update, thus blocking the phone from\r\nhttps://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nPage 4 of 6\n\nbeing used. As the “update” runs, the phone remains unusable to the point that it can’t be locked or unlocked, as\r\nthe malware monitors those attempts and blocks them.\r\nFake update locking the user out of the phone\r\nAccording to our analysis, the targeted applications are banks and financial entities in Peru. This fact, in\r\nconjunction with our telemetry data, leads us to determine that Zanubis targets users in that country specifically.\r\nThe list of targeted applications contains more than 40 package names. The samples of Zanubis collected to date\r\nare capable of infecting any Android phone, but they were all written with Spanish as the system language in\r\nmind.\r\nConclusion\r\nMalware is constantly evolving, as is illustrated by the Lumma stealer, which has multiple variations with varying\r\nfunctionality. Zanubis also aspires to become a fully armed banking trojan that could inflict financial losses and\r\nsteal the personal data of mobile users. This constant change in malicious code and cybercriminal TTPs is a\r\nchallenge for defense teams. To protect itself, an organization must learn about new threats as soon as they\r\nemerge. Intelligence reports can help you stay on top of the latest malicious tools and attacker TTPs. If you’d like\r\nto stay up to date on the latest TTPs being used by criminals, or have questions about our private reports, please\r\ncontact us at crimewareintel@kaspersky.com.\r\nIndicators of compromise (MD5s)\r\nLumma\r\n6b4c224c16e852bdc7ed2001597cde9d\r\n844ab1b8a2db0242a20a6f3bbceedf6b\r\na09daf5791d8fd4b5843cd38ae37cf97\r\n5aac51312dfd99bf4e88be482f734c79\r\nhttps://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nPage 5 of 6\n\nd1f506b59908e3389c83a3a8e8da3276\r\nc2a9151e0e9f4175e555cf90300b45c9\r\nZanubis\r\n054061a4f0c37b0b353580f644eac554\r\na518eff78ae5a529dc044ed4bbd3c360\r\n41d72de9df70205289c9ae8f3b4f0bcb\r\n9b00a65f117756134fdb9f6ba4cef61d\r\n8d99c2b7cf55cac1ba0035ae265c1ac5\r\n248b2b76b5fb6e35c2d0a8657e080759\r\na2c115d38b500c5dfd80d6208368ff55\r\nSource: https://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nhttps://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/"
	],
	"report_names": [
		"110512"
	],
	"threat_actors": [],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2602e3694519f74ce759fde11fc2a195ae76d4f.pdf",
		"text": "https://archive.orkl.eu/d2602e3694519f74ce759fde11fc2a195ae76d4f.txt",
		"img": "https://archive.orkl.eu/d2602e3694519f74ce759fde11fc2a195ae76d4f.jpg"
	}
}