Anatsa (Trojan) – Malware

Overview

Anatsa, also known as TeaBot, is a sophisticated Android banking malware that has emerged as a significant threat in the mobile security landscape. Primarily targeting financial applications, Anatsa has been associated with over 650 banking institutions across Europe and is increasingly expanding its reach to countries such as the United States, Germany, South Korea, and Singapore. The malware is designed to stealthily harvest sensitive banking credentials and financial information from its victims, employing a variety of cunning tactics to evade detection and maintain persistence on infected devices.

What makes Anatsa particularly alarming is its use of dropper applications—innocuous-looking apps that masquerade as legitimate tools, such as PDF readers and QR code scanners. These decoy applications lure users into unwittingly downloading the malware from platforms like the Google Play Store, often achieving substantial install counts that bolster their credibility. Once activated, Anatsa employs overlay and accessibility techniques to intercept data from banking applications, allowing it to capture sensitive information without raising suspicion among users.

The malware’s operational framework is marked by a multi-stage payload delivery process, where initial benign applications are used to download subsequent malicious components from command-and-control (C2) servers. This strategic approach not only enables Anatsa to bypass standard security measures but also complicates efforts to analyze and mitigate its impact. As cybercriminals continue to innovate, understanding the intricacies of Anatsa’s operation is critical for developing effective defenses against this and similar threats.

Targets

Finance and Insurance

How they operate

Infection and Initial Access

Anatsa primarily spreads through malicious applications that are uploaded to the Google Play Store, often masquerading as legitimate tools such as PDF readers or QR code scanners. Once installed, these dropper applications serve as the initial access vector for the malware. Anatsa’s infection strategy hinges on deception; users are led to believe they are downloading useful applications, while the malware operates silently in the background.

Upon installation, the dropper application retrieves additional payloads from command-and-control (C2) servers. This retrieval is not instantaneous; the malware typically initiates a network request to download the next stage of its payload, which is often a dynamically fetched DEX (Dalvik Executable) file. The dropper may also download configuration files that instruct the malware on how to operate, including the specific malicious activities it should perform.

Payload Execution and Environment Checks

Once the DEX file is downloaded, Anatsa executes the payload using reflection, allowing it to dynamically invoke methods and classes without needing static references in the code. This technique adds a layer of stealth, making it harder for security software to detect the presence of the malware. Before fully activating its functionalities, Anatsa conducts a series of checks to determine the environment in which it is running. This includes verifying whether the device is running on an emulator or a virtual machine—an approach designed to evade detection by security researchers and analysis tools.

If the environment check is successful, Anatsa proceeds to download further payloads or configuration updates from its C2 servers. This flexibility allows the malware to adapt to the defenses it encounters and implement additional malicious capabilities as required.

Data Exfiltration and Credential Theft

One of the primary objectives of Anatsa is to steal sensitive banking credentials and financial information. After establishing a connection with the C2 server, the malware retrieves a list of targeted banking applications. It then scans the infected device to determine if any of these applications are installed. If a targeted banking app is found, Anatsa employs overlay techniques to create a fake login screen that closely resembles the legitimate app interface. This method deceives users into entering their banking credentials, which are then sent back to the C2 server.

In addition to credential theft, Anatsa can also collect sensitive data, such as SMS messages and contact lists, further enhancing its capability to exploit the victim’s financial information. The malware utilizes accessibility services on Android devices to facilitate these operations, which allows it to gain elevated permissions and conduct its activities without drawing attention.

Evasion Techniques and Anti-Analysis Measures

Anatsa incorporates various anti-analysis techniques to obfuscate its activities and avoid detection by security software. For example, it may intentionally corrupt the APK file’s ZIP headers to complicate static analysis efforts. This corruption requires analysts to manually fix the headers before they can effectively examine the contents of the APK. Additionally, Anatsa may use encrypted payloads and employ dynamic loading techniques to further obfuscate its operations.

MITRE Tactics and Techniques

Initial Access

Phishing (T1566): Using deceptive emails to deliver malicious attachments.
Spear Phishing Attachment (T1566.001): Delivering malicious documents through emails.
Execution

Command and Scripting Interpreter (T1059): Utilizing PowerShell to execute commands.
Malicious File (T1203): Exploiting vulnerabilities in software to execute malicious code.

Persistence

Registry Run Keys / Startup Folder (T1060): Adding entries to the registry to maintain persistence across reboots.

Privilege Escalation

Exploitation of Vulnerability (T1203): Taking advantage of software vulnerabilities to gain elevated privileges.

Defense Evasion

Obfuscated Files or Information (T1027): Using various obfuscation techniques to evade detection.
Fileless Execution (T1200): Executing malicious code directly in memory without creating files on disk.

Credential Access

Credential Dumping (T1003): Capturing stored credentials from various sources.
Input Capture (T1056): Logging keystrokes to obtain sensitive information.

Discovery

System Information Discovery (T1082): Gathering information about the system to identify potential targets.

Lateral Movement

Remote Services (T1021): Using remote services to move laterally within a network.

Exfiltration

Exfiltration Over Command and Control Channel (T1041): Sending stolen data back to the attacker’s server.

Impact

Data Encrypted for Impact (T1486): Encrypting files on the victim’s system to disrupt operations.

References

• Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store