Threat analysis study: Anatsa

Posted date 05/07/2021
image of threat studies

Continuing with our series of analytical studies on malware distribution campaigns affecting Spain which we began in April, today we publish a new study on Anatsa, which has represented a significant threat since its discovery in January 2021.

The study provides detailed information on the modus operandi and functioning of this campaign, which affects a wide range of companies, citizens and national organizations so that, once they know the technical details and characteristics of the threat, security technicians can implement the most appropriate prevention, detection and response measures for those organizations.

Anatsa is a banking trojan designed for Android devices, which uses similar functions to other existing banking trojans such as Cerberus, Anubis and Flubot, with which it may be directly related.

This threat seems to be of broader scope and is not just limited to Spain. From the very beginning it has aimed to impact other countries in the European Union.

As for the functionality of the malicious code, once the application is installed on the user's device, it starts to track the identifiers of all the applications that are opened and when it detects a login to one of the target applications, it creates overlay pages to capture the information entered by the user through social engineering.

Throughout the study, a detailed technical analysis of the threat is carried out by sampling the malicious code in question to show how this malware behaves and the possibilities it offers.

An IOC rule and a Yara rule are also available in this analysis to assist in the detection of samples belonging to this malware family.

The full study can be downloaded below: