Kaspersky crimeware report: ASMCrypt, Lumma and Zanubis

Kaspersky analyzed three active crimeware families: ASMCrypt (an evolved DoubleFinger-style cryptor/loader that fetches encrypted payloads over Tor and hides them inside PNGs), Lumma (a fork of the Arkei/Vidar stealer with multiple variants that exfiltrate browser and crypto wallet data), and Zanubis (an Android banking trojan that abuses Accessibility permissions, WebSockets/Socket.IO C2, and screen recording). #ASMCrypt #Zanubis

Keypoints

ASMCrypt acts as a front-end loader that authenticates to a Tor-based backend, builds an encrypted payload blob embedded in a PNG, and relies on a malicious DLL/binary to download, decrypt and execute that payload in memory.
ASMCrypt offers configurable options to attackers including injection method (stealth/invisible), target process for injection, startup persistence folder name, and stub type (malicious fake QuickTime or legitimate app sideloading a DLL).
Lumma is a C++ Arkei-derived stealer distributed via a spoofed conversion site that returns files with a .pdf.exe double extension and exfiltrates browser and crypto wallet artifacts; variants show differences in C2 paths, string encryption, dynamic configs, and exfiltration methods.
Lumma samples demonstrate evolving techniques: alternate C2 endpoints (/winsock, /windbg), string XOR/hex encryption, dynamic Base64+XOR configuration retrieval, and changes to User-Agent and data upload behavior.
Zanubis targets Peruvian banking/finance apps by impersonating legitimate apps (e.g., SUNAT), obfuscating APKs with Obfuscapk, convincing users to grant Accessibility rights, and then using WebView, Accessibility events, keylogging, screen recording, and a VNC-like second channel for remote control.
Zanubis’s C2 uses Socket.IO over WebSockets (with HTTP fallback) to maintain persistent, scalable connections and push dynamic configuration events (e.g., config_packages) that determine which apps to monitor and what actions to take.
Zanubis includes an intrusive “bloqueoUpdate” event that simulates an Android update to lock the device UI while the malware captures input and screen data for theft or remote takeover.

MITRE Techniques

[T1055] Process Injection – used to place and run payloads inside other processes via a “stealth or invisible injection method” (‘Stealth or invisible injection method; The process the payload should be injected into’).
[T1574.002] DLL Side-Loading – attackers choose a stub type that is “a legitimate application that sideloads the malicious DLL,” enabling execution under a trusted binary (‘Stub type: … a legitimate application that sideloads the malicious DLL’).
[T1547.001] Boot or Logon Autostart Execution: Startup Folder – persistence via a configurable startup folder name for autorun on victim systems (‘Folder name for startup persistence’).
[T1090] Proxy (Tor) – ASMCrypt connects to its backend over the Tor network using hardcoded credentials to reach the service (‘connects to the malware’s backend service over the TOR network using hardcoded credentials’).
[T1071.004] Application Layer Protocol: WebSocket – Zanubis uses WebSockets/Socket.IO for persistent C2 communications and failover to HTTP (‘Communication with the C2 relies on WebSockets and the library called Socket.IO’).
[T1204.002] User Execution: Malicious File – Lumma is distributed via a spoofed conversion site that returns a double-extension .pdf.exe to trick users into executing it (‘When a file is uploaded, it is returned with the double extension .pdf.exe’).
[T1027] Obfuscated Files or Information – Zanubis APKs are obfuscated with Obfuscapk and Lumma uses string encryption (hex + XOR) to hide strings and config data (‘Zanubis is obfuscated with the help of Obfuscapk’; ‘They are now hex encoded and encrypted with an XOR key’).
[T1105] Ingress Tool Transfer – samples download additional libraries or payloads from C2 (e.g., Lumma retrieving parsing libraries or ASMCrypt retrieving the PNG blob) (‘When the malicious DLL is executed on a victim system, it downloads the .png file, decrypts it, loads it into memory and then executes it’; Lumma downloaded additional libraries from the C2).
[T1056] Input Capture – Zanubis logs events/keys as one of its data theft actions after detecting targeted apps via Accessibility events (‘Once an application on the list is found running on the device, Zanubis takes one of two actions… logging events/keys’).
[T1113] Screen Capture – Zanubis can record the screen and send rendering info (display size) periodically to the C2 for remote interaction (‘it will send information about screen rendering, such as the display size, every second’; recording the screen).

Indicators of Compromise

[MD5 hashes] Lumma samples – 6b4c224c16e852bdc7ed2001597cde9d, 844ab1b8a2db0242a20a6f3bbceedf6b, and 4 more hashes.
[MD5 hashes] Zanubis samples – 054061a4f0c37b0b353580f644eac554, a518eff78ae5a529dc044ed4bbd3c360, and 5 more hashes.
[File extension / filename] Malicious dropper naming – spoofed conversion site returning files with a double extension (example: .pdf.exe) used to trick users into execution.

<li=[Embedded payload] PNG steganographic blob – ASMCrypt builds an encrypted blob hidden inside a .png that the malicious DLL downloads and decrypts to execute in memory (‘creates an encrypted blob hidden inside a .png file’).

[Application packages] Targeted Android package names – Zanubis receives a dynamic array of package names from C2 (over 40 package names targeting Peruvian banks/SUNAT-related apps; samples target Spanish-language systems).

ASMCrypt: The loader authenticates to a Tor-based backend, presents build options to the operator (injection method, target process, startup folder, stub type), then produces two artifacts: (1) an encrypted payload blob embedded inside a PNG that must be hosted online, and (2) a malicious DLL or binary stub. When the stub runs on a victim, it downloads the PNG, decrypts the embedded blob in memory and executes it, enabling fileless or stealthy execution and injection into a target process.

Lumma: Distributed via a spoofed .docx-to-.pdf service that returns .pdf.exe droppers, Lumma variants exhibit divergent C2 behaviors (/socket.php, /winsock, /windbg), differing exfiltration methods (downloading parser libraries for 32-bit or uploading entire DBs), and encoding changes (hex + XOR string encryption, Base64+XOR dynamic configs). Analysts observed debug builds that notify C2 on code paths hit and samples that altered User-Agent strings, indicating active development and modular config-driven operation.

Zanubis (Android): The APKs are obfuscated with Obfuscapk and impersonate legitimate Peruvian apps (notably SUNAT). After tricking users into granting Accessibility permissions, the malware uses WebView to display legitimate sites while its Accessibility listener (onAccessibilityEvent) monitors app activity. The C2 uses Socket.IO over WebSockets (with HTTP fallback) to push events such as config_packages (lists of target app package names). Once a target app is detected the implant either logs input/keystrokes or records the screen; a second, VNC-like channel can be initialized to stream display parameters and enable a remote takeover, including an aggressive bloqueoUpdate event that simulates an Android update to lock the UI.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print