SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.anatsa (Back to overview)

Anatsa

aka: ReBot, TeaBot, Toddler

There is no description at this point.

References
2023-06-26ThreatFabricThreatFabric
@online{threatfabric:20230626:anatsa:6b0c923, author = {ThreatFabric}, title = {{Anatsa banking Trojan hits UK, US and DACH with new campaign}}, date = {2023-06-26}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign}, language = {English}, urldate = {2023-07-02} } Anatsa banking Trojan hits UK, US and DACH with new campaign
Anatsa
2022-05-13K7 SecurityBaran S
@online{s:20220513:teabot:6b0a0e1, author = {Baran S}, title = {{Teabot}}, date = {2022-05-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/}, language = {English}, urldate = {2022-05-17} } Teabot
Anatsa
2022-03-03GBHackers on SecurityGurubaran S
@online{s:20220303:teabot:6b49183, author = {Gurubaran S}, title = {{TeaBot Banking Trojan Posted as QR Code app in Google Play Store Targeting US Users}}, date = {2022-03-03}, organization = {GBHackers on Security}, url = {https://gbhackers.com/teabot-banking-trojan/}, language = {English}, urldate = {2022-03-03} } TeaBot Banking Trojan Posted as QR Code app in Google Play Store Targeting US Users
Anatsa
2022-03-01CleafyCleafy
@online{cleafy:20220301:teabot:bc307ec, author = {Cleafy}, title = {{TeaBot is now spreading across the globe}}, date = {2022-03-01}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe}, language = {English}, urldate = {2022-03-02} } TeaBot is now spreading across the globe
Anatsa
2022-01-27The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220127:widespread:9d2fe29, author = {Ravie Lakshmanan}, title = {{Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices}}, date = {2022-01-27}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html}, language = {English}, urldate = {2022-01-31} } Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices
Anatsa FluBot
2022-01-26BitdefenderBitdefender
@online{bitdefender:20220126:new:587f615, author = {Bitdefender}, title = {{New FluBot and TeaBot Global Malware Campaigns Discovered}}, date = {2022-01-26}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered}, language = {English}, urldate = {2022-02-01} } New FluBot and TeaBot Global Malware Campaigns Discovered
Anatsa FluBot
2021-11ThreatFabricThreatFabric
@online{threatfabric:202111:deceive:ec55fb1, author = {ThreatFabric}, title = {{Deceive the Heavens to Cross the sea}}, date = {2021-11}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html}, language = {English}, urldate = {2021-12-07} } Deceive the Heavens to Cross the sea
Alien Anatsa Hydra
2021-09-14TelekomThomas Barabosch
@online{barabosch:20210914:flubots:a0b25c3, author = {Thomas Barabosch}, title = {{Flubot’s Smishing Campaigns under the Microscope}}, date = {2021-09-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}, language = {English}, urldate = {2021-09-22} } Flubot’s Smishing Campaigns under the Microscope
Anatsa FluBot
2021-07-17Twitter (@_icebre4ker_)_icebre4ker_
@online{icebre4ker:20210717:new:0dbc455, author = {_icebre4ker_}, title = {{Tweet: new version of Teabot targeting also Portugal banks}}, date = {2021-07-17}, organization = {Twitter (@_icebre4ker_)}, url = {https://twitter.com/_icebre4ker_/status/1416409813467156482}, language = {English}, urldate = {2021-07-20} } Tweet: new version of Teabot targeting also Portugal banks
Anatsa
2021-07-16PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210716:toddler:5fd814e, author = {PRODAFT}, title = {{Toddler - Mobile Banking Botnet Analysis Report}}, date = {2021-07-16}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf}, language = {English}, urldate = {2022-03-22} } Toddler - Mobile Banking Botnet Analysis Report
Anatsa
2021-06-17K7 SecurityBaran S
@online{s:20210617:teabot:307d855, author = {Baran S}, title = {{Teabot : Android Banking Trojan Targets Banks in Europe}}, date = {2021-06-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22407}, language = {English}, urldate = {2021-06-21} } Teabot : Android Banking Trojan Targets Banks in Europe
Anatsa
2021-06-01BitdefenderAlin Mihai Barbatei, Oana Asoltanei, Silviu Stahie
@online{barbatei:20210601:threat:83b0dfc, author = {Alin Mihai Barbatei and Oana Asoltanei and Silviu Stahie}, title = {{Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android}}, date = {2021-06-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/}, language = {English}, urldate = {2021-06-09} } Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
Anatsa FluBot
2021-05-19Twitter (@ThreatFabric)ThreatFabric
@online{threatfabric:20210519:anatsa:b359430, author = {ThreatFabric}, title = {{Tweet on Anatsa android banking trojan targeting 7 more italian banks}}, date = {2021-05-19}, organization = {Twitter (@ThreatFabric)}, url = {https://twitter.com/ThreatFabric/status/1394958795508523008}, language = {English}, urldate = {2021-05-19} } Tweet on Anatsa android banking trojan targeting 7 more italian banks
Anatsa
2021-05-11nvisoJeroen Beckers
@online{beckers:20210511:android:4e1e946, author = {Jeroen Beckers}, title = {{Android overlay attacks on Belgian financial applications}}, date = {2021-05-11}, organization = {nviso}, url = {https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/}, language = {English}, urldate = {2021-05-13} } Android overlay attacks on Belgian financial applications
Anatsa
2021-05-10CleafyCleafy
@online{cleafy:20210510:teabot:8998a59, author = {Cleafy}, title = {{TeaBot: a new Android malware emerged in Italy, targets banks in Europe}}, date = {2021-05-10}, organization = {Cleafy}, url = {https://www.cleafy.com/documents/teabot}, language = {English}, urldate = {2021-05-11} } TeaBot: a new Android malware emerged in Italy, targets banks in Europe
Anatsa
2021-05-05ThreatFabricThreatFabric
@online{threatfabric:20210505:smishing:b8a6f11, author = {ThreatFabric}, title = {{Smishing campaign in NL spreading Cabassous and Anatsa}}, date = {2021-05-05}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html}, language = {English}, urldate = {2021-05-11} } Smishing campaign in NL spreading Cabassous and Anatsa
Anatsa
2021-03-15BugurooBuguroo
@techreport{buguroo:20210315:toddler:ce25cc1, author = {Buguroo}, title = {{Toddler: Credential theft through overlays and accessibility event logging}}, date = {2021-03-15}, institution = {Buguroo}, url = {https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf}, language = {English}, urldate = {2021-05-13} } Toddler: Credential theft through overlays and accessibility event logging
Anatsa
Yara Rules
[TLP:WHITE] apk_anatsa_w0 (20210914 | matches on dumped, decrypted V/DEX files of Teabot)
rule apk_anatsa_w0 {
    meta:
        author = "Thomas Barabosch, Telekom Security"
        version = "20210819"
        description = "matches on dumped, decrypted V/DEX files of Teabot"
        sample = "37be18494cd03ea70a1fdd6270cef6e3"
        source = "https://github.com/telekom-security/malware_analysis/tree/main/flubot"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa"
        malpedia_version = "20210914"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $dex = "dex"
        $vdex = "vdex"
        $s1 = "ERR 404: Unsupported device"
        $s2 = "Opening inject"
        $s3 = "Prevented samsung power off"
        $s4 = "com.huawei.appmarket"
        $s5 = "kill_bot"
        $s6 = "kloger:"
        $s7 = "logged_sms"
        $s8 = "xiaomi_autostart"

    condition:
        ($dex at 0 or $vdex at 0)
        and 6 of ($s*)
}
Download all Yara Rules