SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.anatsa (Back to overview)

Anatsa

aka: TeaBot, Toddler

There is no description at this point.

References
2021-09-14TelekomThomas Barabosch
@online{barabosch:20210914:flubots:a0b25c3, author = {Thomas Barabosch}, title = {{Flubot’s Smishing Campaigns under the Microscope}}, date = {2021-09-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}, language = {English}, urldate = {2021-09-22} } Flubot’s Smishing Campaigns under the Microscope
Anatsa FluBot
2021-07-17Twitter (@_icebre4ker_)_icebre4ker_
@online{icebre4ker:20210717:new:0dbc455, author = {_icebre4ker_}, title = {{Tweet: new version of Teabot targeting also Portugal banks}}, date = {2021-07-17}, organization = {Twitter (@_icebre4ker_)}, url = {https://twitter.com/_icebre4ker_/status/1416409813467156482}, language = {English}, urldate = {2021-07-20} } Tweet: new version of Teabot targeting also Portugal banks
Anatsa
2021-06-17K7 SecurityBaran S
@online{s:20210617:teabot:307d855, author = {Baran S}, title = {{Teabot : Android Banking Trojan Targets Banks in Europe}}, date = {2021-06-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22407}, language = {English}, urldate = {2021-06-21} } Teabot : Android Banking Trojan Targets Banks in Europe
Anatsa
2021-06-01BitdefenderAlin Mihai Barbatei, Oana Asoltanei, Silviu Stahie
@online{barbatei:20210601:threat:83b0dfc, author = {Alin Mihai Barbatei and Oana Asoltanei and Silviu Stahie}, title = {{Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android}}, date = {2021-06-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/}, language = {English}, urldate = {2021-06-09} } Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
Anatsa FluBot
2021-05-19Twitter (@ThreatFabric)ThreatFabric
@online{threatfabric:20210519:anatsa:b359430, author = {ThreatFabric}, title = {{Tweet on Anatsa android banking trojan targeting 7 more italian banks}}, date = {2021-05-19}, organization = {Twitter (@ThreatFabric)}, url = {https://twitter.com/ThreatFabric/status/1394958795508523008}, language = {English}, urldate = {2021-05-19} } Tweet on Anatsa android banking trojan targeting 7 more italian banks
Anatsa
2021-05-11nvisoJeroen Beckers
@online{beckers:20210511:android:4e1e946, author = {Jeroen Beckers}, title = {{Android overlay attacks on Belgian financial applications}}, date = {2021-05-11}, organization = {nviso}, url = {https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/}, language = {English}, urldate = {2021-05-13} } Android overlay attacks on Belgian financial applications
Anatsa
2021-05-10CleafyCleafy
@online{cleafy:20210510:teabot:8998a59, author = {Cleafy}, title = {{TeaBot: a new Android malware emerged in Italy, targets banks in Europe}}, date = {2021-05-10}, organization = {Cleafy}, url = {https://www.cleafy.com/documents/teabot}, language = {English}, urldate = {2021-05-11} } TeaBot: a new Android malware emerged in Italy, targets banks in Europe
Anatsa
2021-05-05ThreatFabricThreatFabric
@online{threatfabric:20210505:smishing:b8a6f11, author = {ThreatFabric}, title = {{Smishing campaign in NL spreading Cabassous and Anatsa}}, date = {2021-05-05}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html}, language = {English}, urldate = {2021-05-11} } Smishing campaign in NL spreading Cabassous and Anatsa
Anatsa
2021-03-15BugurooBuguroo
@techreport{buguroo:20210315:toddler:ce25cc1, author = {Buguroo}, title = {{Toddler: Credential theft through overlays and accessibility event logging}}, date = {2021-03-15}, institution = {Buguroo}, url = {https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf}, language = {English}, urldate = {2021-05-13} } Toddler: Credential theft through overlays and accessibility event logging
Anatsa
Yara Rules
[TLP:WHITE] apk_anatsa_w0 (20210914 | matches on dumped, decrypted V/DEX files of Teabot)
rule apk_anatsa_w0 {
    meta:
        author = "Thomas Barabosch, Telekom Security"
        version = "20210819"
        description = "matches on dumped, decrypted V/DEX files of Teabot"
        sample = "37be18494cd03ea70a1fdd6270cef6e3"
        source = "https://github.com/telekom-security/malware_analysis/tree/main/flubot"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa"
        malpedia_version = "20210914"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $dex = "dex"
        $vdex = "vdex"
        $s1 = "ERR 404: Unsupported device"
        $s2 = "Opening inject"
        $s3 = "Prevented samsung power off"
        $s4 = "com.huawei.appmarket"
        $s5 = "kill_bot"
        $s6 = "kloger:"
        $s7 = "logged_sms"
        $s8 = "xiaomi_autostart"

    condition:
        ($dex at 0 or $vdex at 0)
        and 6 of ($s*)
}
Download all Yara Rules