Menu
Blog

Quick Update: Kraken Completes Its Rebrand to Anubis

Quick Update: Kraken Completes Its Rebrand to Anubis
4 minute read

In a blog post dated February 16, 2022, ZeroFox Intelligence detailed Kraken, a new botnet targeting Windows that we discovered in October 2021. The botnet is still undergoing active development, experimenting with new features, and attempting to find a brand for itself. After our publication, ZeroFox learned that the botnet has undergone a rebranding to more closely align with its administration dashboard. Sometime between January 4, 2022, and January 7, 2022, the operator(s) began using the names “Anubis” and “Pepega” for the project internally.

Recommendations

  • Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
  • Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
  • Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
  • Avoid opening unsolicited attachments and never click suspicious links.
  • Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
  • Review network logs for potential signs of compromise and data egress.

Details

ZeroFox Intelligence has been following the development of this previously unknown botnet since October 2021. Originally named “Kraken,” builds discovered between January 4, 2022, and January 7, 2022, reveal that the internal name has changed.

As seen in Figure 1, the Golang project path has changed from “C:\Users\666\Desktop\Bobabubs\kraken_2022” to “\root\anubis”, which more closely aligns with the dashboard after it received its own rebrand. The source code also appears to have been merged into one main file with most of the function names being obfuscated, as opposed to the previously separated but clear functionality. Another notable change made is to the main source file. The name “pepega” may be in reference to a Twitch emote of the same name, which is itself a variation of the meme “Pepe the Frog.”

Anubis Dashboard No Longer Available

Shortly after our publication, ZeroFox Intelligence also observed that the Anubis dashboard is no longer available. Attempting to view the dashboard now results in a “404 page not found” message being displayed.

New Exfiltration Targets

In addition to the previously-added cryptocurrency wallets, Anubis now appears to be targeting specific Chromium-based browsers. Builds obtained by ZeroFox Intelligence from February 17, 2022, onwards have added the following paths targeting the Brave, Google Chrome, and Microsoft Edge browsers:

  • \AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cookies
  • \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
  • \AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Until recently, Anubis relied entirely on secondary payloads such as Redline to steal data from victims. If this trend of feature additions continues, Anubis may become capable of doing the job itself, ending its reliance on third-party infostealers.

Conclusion

The additional capability to target a victim's browser data seems limited to just cookie data currently. Whether Anubis decides to collect more data (such as saved credentials and browser history) or even target more browsers based on the Chromium source currently remains to be seen. Though the pace of Anubis’ development has slowed down since its initial discovery, the various changes its operator(s) are making indicate they are still deciding what the future of this botnet holds. ZeroFox will continue to monitor this emerging botnet as it evolves.

MITRE ATT&CK

IDDescription
T1027.002Obfuscated Files or Information: Software Packing
T1033System Owner/User Discovery
T1047Windows Management Instrumentation
T1059.001Command and Scripting Interpreter: PowerShell
T1059.003Command and Scripting Interpreter: Windows Command Shell
T1082System Information Discovery
T1113Screen Capture
T1132.001Data Encoding: Standard Encoding
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1571Non-Standard Port

IOCs

SHA256 Hashes

  • 5d99125b0d97ba0abfcf9916c1a05081c1cc117eb2afaaab39a6f95a60e42ab3

See ZeroFox in action